endpoint encryption for pc administration guide
TRANSCRIPT
McAfee® Endpoint Encryption for PC
Administration Guide
Version 5.2.5
McAfee, Inc.
McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054, USA
Tel: (+1) 888.847.8766
For more information regarding local McAfee representatives please contact your local McAfee office, or visit:
www.mcafee.com
Document: Endpoint Encryption for PC Administration Guide
Copyright (c) 1992‐2010 McAfee, Inc., and/or its affiliates. All rights reserved.
McAfee and/or other noted McAfee related products contained herein are registered trademarks or trademarks of McAfee, Inc., and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. Any other non‐McAfee related products, registered and/or unregistered trademarks contained herein is only by reference and are the sole property of their respective owners.
Contents
Preface ........................................................................................... 1 Using this guide ............................................................................................. 1
Audience ................................................................................................. 1 Conventions ............................................................................................ 1
Welcome ......................................................................................... 2 About This Guide ..................................................................................... 2 Audience ................................................................................................. 2 Related Documentation ............................................................................. 3 Acknowledgements .................................................................................. 3 Design Philosophy .................................................................................... 3 Contacting Technical Support .................................................................... 3
Introduction ................................................................................... 4 Why Endpoint Encryption for PC? ............................................................... 4
How Endpoint Encryption for PC Works ............................................................. 4 Protection ............................................................................................... 4
Management ................................................................................................. 5 The Object Directory ................................................................................ 5 Objects, Entities, and Attributes explained. ................................................. 6
The Endpoint Encryption Components ............................................................... 6 Endpoint Encryption Manager .................................................................... 7 Endpoint Encryption Server ....................................................................... 7 Endpoint Encryption Object Directory ......................................................... 8 Endpoint Encryption for PC Client ............................................................... 8 Endpoint Encryption File Encryptor ............................................................. 9 Endpoint Encryption Connector Manager ..................................................... 9 Install and Deployment ............................................................................ 10
Installing the Endpoint Encryption Manager ................................. 11
Endpoint Encryption for PC User Policies ...................................... 12 User Administration Functions ......................................................................... 12
Create Token .......................................................................................... 12 Reset Token ........................................................................................... 12 Set SSO Details ...................................................................................... 12 Force Password Change at Next Logon ....................................................... 12 View Audit ............................................................................................. 12 Reset (All) to Group Configuration ............................................................. 12 Create Copy ........................................................................................... 13 Properties .............................................................................................. 13
User configuration Options ............................................................................. 13 General ................................................................................................. 13 Devices.................................................................................................. 14 Application Control .................................................................................. 15
Using Tokens with Endpoint Encryption for PC ............................. 16 Supported Smart Cards and Tokens .......................................................... 16 General Token Operation. ........................................................................ 16 Stored Value Tokens ............................................................................... 17 Certificate, or “Crypt Only” tokens ............................................................ 17 Other Types Of Token .............................................................................. 19 Token Compatibility ................................................................................ 19 Specific Token Notes ............................................................................... 19 Sony Puppy Fingerprint Reader ................................................................. 22 Aladdin eToken 64KB............................................................................... 24
SafeNet IKEY 2032 .................................................................................. 24 Endpoint Encryption Phantom USB Biometric Key ........................................ 24 Upek Fingerprint Reader .......................................................................... 26
Creating and Configuring Machines .............................................. 27 Machine Administration Functions (right-click menu) ................................... 27 Machine Configuration Options.................................................................. 29
File Groups and Management ........................................................ 42 Setting file group functions ...................................................................... 43 Importing new files ................................................................................. 43 Exporting Files ........................................................................................ 43 Deleting Files.......................................................................................... 44 Setting File Properties ............................................................................. 44
Adding components to a Machine ................................................. 46
Using Endpoint Encryption as a File Deploy System ...................... 47 Example - Copying a new file to the desktop .............................................. 47
Creating an Install Package .......................................................... 49 Selecting the Group / Machine .................................................................. 49 Select the Install Set type ........................................................................ 49 Online Installs ........................................................................................ 50 Offline Installs ........................................................................................ 50 Importing a Transport Directory ................................................................ 51 Summary of Offline Install set contents ..................................................... 51 Select the Master Directory ...................................................................... 52 Set install options and create the set ......................................................... 53
Installing, Upgrading, and Removing Endpoint Encryption for PC . 54 Offline Package Installs ............................................................................ 54 Online Package Installs ............................................................................ 54 Removing / Uninstalling Endpoint Encryption Client ..................................... 54 Upgrading Endpoint Encryption from previous versions. ............................... 55
Client Software ............................................................................. 57 The Tool Tray Icon .................................................................................. 57 Client Auditing ........................................................................................ 58 Boot and Logon Process ........................................................................... 58 Endpoint Encryption Screen Saver ............................................................. 59 Windows Sign-On and Logon Mechanisms. ................................................. 59 Changing the Password ............................................................................ 59 Section 508: Logon Accessibility ............................................................... 59
Windows Sign-on and SSO ............................................................ 61 Windows Logon Features ......................................................................... 61 How Windows Logon works ...................................................................... 62
Auditing ........................................................................................ 64 Introduction ........................................................................................... 64 Common Audit Events ............................................................................. 64 Try Events ............................................................................................. 66 Succeed Events ...................................................................................... 67 Failure Events ......................................................................................... 67
Recovering Users and Machines .................................................... 69 Offline Recovery ..................................................................................... 69 Local Recovery ....................................................................................... 72 User Local Recovery Procedures ................................................................ 74 Online Recovery ...................................................................................... 75
Trusted Applications ..................................................................... 76 Hash Sets .............................................................................................. 76 Hash Set Properties ................................................................................. 77 File Hashes ............................................................................................ 77 Using Hash Sets ...................................................................................... 78
Hash Generator ............................................................................. 79 Introduction ........................................................................................... 79 Using Hash Generator .............................................................................. 79
Common Criteria EAL4 Mode Operation ........................................ 80 Algorithm Certificate Numbers .................................................................. 81
Endpoint Encryption Configuration Files ....................................... 83 sbgina.ini ............................................................................................... 83 sberrors.ini ............................................................................................ 91 sbhelp.ini ............................................................................................... 92 sbfeatur.ini ............................................................................................ 92 scm.ini .................................................................................................. 92 defscm.ini .............................................................................................. 93 sdmcfg.ini .............................................................................................. 93 TrivialPwds.dat ....................................................................................... 94 Bootcode.ini ........................................................................................... 94 BootManager.INI .................................................................................... 94 Errors.XML ............................................................................................. 95 AutoBoot.ini ........................................................................................... 95 SbClientFileSet.ini ................................................................................... 95 SBWinLogonOpts.XML .............................................................................. 95 SBCP.INI ............................................................................................... 95
Endpoint Encryption Program and Driver Files .............................. 97 EXE Files ................................................................................................ 97 DLL Files ................................................................................................ 97 SYS Files ................................................................................................ 98 Other Files ............................................................................................. 99
WinTech and SafeTech ................................................................ 100
Themes & Localization ................................................................ 101 Themes ............................................................................................... 101 Keyboards ............................................................................................ 102 Pre-Boot Language ................................................................................ 110 Pre Boot Token Descriptions ................................................................... 113 Windows Languages .............................................................................. 113
Troubleshooting PCs ................................................................... 115
Error Messages ........................................................................... 116 Module codes ....................................................................................... 116 1C000 IPC Errors .................................................................................. 117 5C00 Communications Protocol ............................................................... 117 5C02 Communications Cryptographic ...................................................... 119 A100 Algorithm Errors ........................................................................... 120 DB01 Database Objects ......................................................................... 122 DB02 Database Attributes ...................................................................... 123 E000 Endpoint Encryption General .......................................................... 124 E001 Tokens ........................................................................................ 124 E002 Endpoint Encryption Disk ............................................................... 126 E003 Endpoint Encryption SBFS .............................................................. 127 E004 Boot Code Image .......................................................................... 128 E005 Client .......................................................................................... 129 E006 Algorithms ................................................................................... 132 E007 Readers ....................................................................................... 132
E008 Users .......................................................................................... 133 E010 Keys ............................................................................................ 133 E011 Files ............................................................................................ 133 E012 Licences....................................................................................... 134 E013 Installer ....................................................................................... 134 E014 Hashes ........................................................................................ 135 E015 Application Control ........................................................................ 135 E016 Administration Center .................................................................... 136 xxH: BIOS ........................................................................................... 136
Technical Specifications and Options .......................................... 138 Encryption Algorithms ........................................................................... 138 Smart Card Readers .............................................................................. 138 Tokens ................................................................................................ 139 Language Support ................................................................................. 139 System Requirements............................................................................ 141
Appendix .................................................................................... 143 Legal Notices: ...................................................................................... 143 Open Source Components License Details ................................................ 143 Making Endpoint Encryption for PC FIPS Compliant ................................... 150
Index .......................................................................................... 152
Preface
| 1
Preface
Using this guide This guide describes the administration functions of McAfee Endpoint Encryption for
PC.
Audience This guide is intended for administrators of Endpoint Encryption for PC.
Conventions This guide uses the following conventions:
Bold Condensed All words from the interface, including options, menus, buttons, and dialog box names.
Courier The path of a folder or program; text that represents something the user types exactly (for example, a command at the system prompt).
Italic Emphasis or introduction of a new term; names of product manuals.
Blue A web address (URL); a live link.
Note Supplemental information; for example, an alternate method of executing the same command.
Caution Important advice to protect your computer system, enterprise, software installation, or data.
Welcome
2 |
Welcome The team at McAfee is dedicated to providing you with the best in security for
protecting data on personal computers. Applying the latest technology, deployment
and management of users is enhanced using simple and structured administration
controls.
Endpoint Encryption for PC represents the latest addition to the McAfee family and
incorporates functionality not found in earlier versions. This new edition of Endpoint
Encryption for PC features a new dimension in IT security incorporating many new
enterprise level options, including automated upgrades, file deployment, flexible
grouping of users and centralized user management. In addition, user’s credentials
can be imported and synchronized with other deployment systems.
Through the continued investment in technology and the inclusions of industry
standards we are confident that our goal of keeping Endpoint Encryption at the
forefront of data security will be achieved.
About This Guide This is designed to aid corporate security administrators in the correct implementation
and deployment of Endpoint Encryption for PC. Although this guide is complete in
terms of setting up and managing Endpoint Encryption systems, it does not attempt to
teach the topic of "Enterprise Security" as a whole.
Readers unfamiliar with Endpoint Encryption should follow the appropriate sections of
the Endpoint Encryption for PC Quick Start Guide which walks through setting up a
Endpoint Encryption enterprise before tackling any of the topics in this guide.
Audience This guide was designed to be used by qualified system administrators and security
managers. Knowledge of basic networking and routing concepts, and a general
understanding of the aims of centrally managed security is required.
McAfee can only contribute to information security within your organization as part of
a coherent and well-implemented organizational security policy.
For information about cryptography topics, readers are advised to consult the following
publications:
Applied Cryptography: Protocols, Algorithms, and Source Code in C, 2nd Edition, Bruce
Schneier, Pub. John Wiley & Sons; ISBN: 0471128457
Computer Security, Deiter Gollman, Pub. John Wiley and Sons; ISBN: 0471978442
Welcome
| 3
Security in Computing, Charles P. Pfleeger, Pub Prentice Hall PTR; 3 edition; ISBN
0130355488
Related Documentation The following materials are available from our web site, www.mcafee.com, and from
your Endpoint Encryption Distributor:
• Endpoint Encryption for PC Administration Guide (this document)
• Endpoint Encryption Manager Administration Guide
• Endpoint Encryption for PC Quick Start Guide
• WinTech and SafeTech Administration Guide
• Endpoint Encryption Update and Migration Guide
Acknowledgements McAfee’s Novell NDS Connector and LDAP Connectors make use of OpenLDAP
(1www.openldap.org) and OpenSSL (2www.openssl.org). Due credit is given to these
organizations for their free API’s.
Design Philosophy Unlike other security systems, Endpoint Encryption for PC does not prevent access to
specific files, or in any way alter the way the PCs and PDAs are used.
Contacting Technical Support Please refer to www.mcafee.com for further information.
Introduction
4 |
Introduction Why Endpoint Encryption for PC? Around 1,000,000 laptops go missing each year, causing an estimated 4 billion USD
worth of lost data. Is your data safely stored? Ever thought about the risks you run for
your company and your clients? Endpoint Encryption for PC was developed with the
understanding that often the data stored on a computer is much more valuable than
the hardware itself.
McAfee’s product range enhances the security of devices by providing data encryption
and a token-based logon procedure using, for example, a Smart Card via a USB,
PCMCIA, serial or parallel reader. Endpoint Encryption also has optional File and Media
encryption programs (VDisk, File Encryptor and Endpoint Encryption for Files and
Folders). Endpoint Encryption for PC supports the following Microsoft Operating
Systems:
• Microsoft Windows 7
• Microsoft Windows 2000 through SP4
• Microsoft Windows XP through SP3 (32bit only)
• Microsoft Windows 2003 through SP2 (32bit only)
• Microsoft Vista 32bit and 64bit (all versions)
• Microsoft Pocket Windows 2002 and 2003
NOTE: For end users, Endpoint Encryption allows users to work as usual, including the
security and network services. Apart from the initial Logon, Endpoint Encryption for PC
offers completely transparent security.
How Endpoint Encryption for PC Works
Protection Endpoint Encryption protects the user’s PC by simply taking control of the hard disk
from the operating system. The Endpoint Encryption for PC driver encrypts every piece
of data written to the disk; it also decrypts every piece of information read off the
disk.
If an unauthorized application broke through the Endpoint Encryption barrier and read
the disk directly, it would find only encrypted data, even in the Windows swap file and
temporary file areas.
Introduction
| 5
If a Data Recovery agency tried to retrieve information from a Endpoint Encryption-
protected hard drive, without access to the Endpoint Encryption System via the
passwords or recovery information there is no way of accessing this data – total
security.
Endpoint Encryption installs a mini-operating system on the user’s hard drive, this is
what the user sees when they boot the PC. Endpoint Encryption looks and feels like
Microsoft Windows, with mouse and keyboard support, moveable windows, etc. This
Endpoint Encryption OS is completely contained and does not need to access any other
files or programs on the hard disk, and is responsible for allowing the user to
authenticate with a password, or, a token such as a smart card.
Once the user has entered the correct authentication information, the Endpoint
Encryption operating system starts the crypt driver in memory and boots the protected
machine’s original operating system. From this point on the machine will look and
behave as if Endpoint Encryption was not installed. The security is invisible to the
user: the only readable data on the hard disk will be the Endpoint Encryption
operating system; the encryption key for the hard drive is itself protected with the
user’s authentication key. The only possible way to defeat Endpoint Encryption is to
either guess the hard disk encryption key (a one in 2256 chance with the AES256
algorithm), or to guess the user’s password.
On PDAs such as Pocket Windows and PalmOS, Endpoint Encryption installs
applications and drivers to provide authentication and encryption services. Endpoint
Encryption can protect memory cards, internal databases (such as e-mail and contact
lists), and provides secure, manageable authentication services.
Management
The Object Directory The Object Directory is a central store of configuration information for all machines,
servers, policies and users. It is managed by Endpoint Encryption Administrators using
the Endpoint Encryption Manager.
Each time an Endpoint Encryption protected device boots, it will try and connect with
the Object Directory; optionally, every time the user initiates a dial-up connection, or,
after a set period of time, the Endpoint Encryption protected machine will attempt to
contact the Object Directory. The Object Directory is accessed over TCP/IP via a
secure Endpoint Encryption Server (in the case of a centrally managed enterprise).
The Endpoint Encryption protected machine queries the Object Directory for any
updates to its configuration; when the updates are found they are downloaded to the
Introduction
6 |
client machine. Typical updates could be a new user assigned to the machine by an
administrator, a change in password policy, an upgrade to the Endpoint Encryption
operating system, or, a new file specified by the administrator. At the same time,
Endpoint Encryption uploads details like the latest audit information, e.g. any user
password changes and security breaches to the Object Directory, thus allowing
transparent synchronization of the enterprise system.
Objects, Entities, and Attributes explained. Endpoint Encryption for PC stores information about users, machines, servers, policies,
etc in collections called "objects"; from the perspective of the Endpoint Encryption
system, it does not matter what an object represents, only the information it contains
- therefore, an object representing a user, e.g. "John Smith", and an object
representing a machine, e.g. "Johns Laptop", would both contain information about
encryption keys, account status and administration level.
Within the object are collections of configuration data called Attributes. Again, the
same type of attribute may exist across many object types. Using the previous
example of John and his laptop, the details of the encryption keys, user status and
administration level would all be stored as separate attributes.
Entities are applications within the Endpoint Encryption system. Because of the
generality of the object design all Endpoint Encryption applications also have some
generality about them, for example, the Entity representing the Endpoint Encryption
client and the Entity representing the Endpoint Encryption Server. Both authenticate to
the Object Directory in the same way - as an "object" which could be a machine or
user. This generality is mainly hidden from users and administrators, however,
because of this core design, you will find that many Endpoint Encryption related
functions and tasks are common between users, machines and entities.
The Endpoint Encryption Components
Introduction
| 7
Endpoint Encryption Manager
Figure 1. Endpoint Encryption Manager Interface
The most important component of the Endpoint Encryption enterprise is the Endpoint
Encryption Manager, the administrator interface. This utility allows privileged users to
manage the enterprise from any workstation that can establish a TCP/IP link or file link
to the Object Directory. Typical procedures that the Endpoint Encryption Administrator
handles are:
• Adding users to machines
• Configuring Endpoint Encryption protected machines
• Creating and configuring users
• Revoking users logon privileges
• Updating file information on remote machines
• Recovering users who have forgotten their passwords
• Creating logon tokens such as smart cards for users
Endpoint Encryption Server The Endpoint Encryption Server facilitates connections between entities such as the
client and Endpoint Encryption Manager, and the central Object Directory over an IP
connection (rather than the file based "local" connection). The server performs
authentication of the entity using DSA signatures, and link encryption using the Diffie-
Introduction
8 |
Hellman key exchange and bulk algorithm line encryption. This ensures that
"snooping" the connection cannot result in any secure key information being disclosed.
The server exposes the Object Directory via fully routed TCP/IP, meaning that access
to the Object Directory can be safely exposed to the Internet / Intranet, allowing
clients to connect wherever they are. As all communications between the Server and
client are encrypted and authenticated there is no security risk in exposing it in this
way.
There is a unique PDA Server which provides similar services to PDAs such as
Microsoft Pocket Windows and PalmOS devices. More information about this can be
found in later chapters.
Endpoint Encryption Object Directory The Endpoint Encryption Object Directory is the central configuration store for
Endpoint Encryption for PC and is used as a repository of information for all the
Endpoint Encryption entities. The default directory uses the operating systems file
system driver to provide a high performance scalable system which mirrors an X500
design. Alternative stores such as LDAP are possible – contact your Endpoint
Encryption representative for details. The standard store has a capacity of over 4
billion users and machines.
Typical information stored in the Object Directory includes:
• User Configuration information
• Machine Configuration information
• Client and administration file lists
• Encryption key and recovery information
• Audit trails
• Secure Server Key information
Endpoint Encryption for PC Client The Endpoint Encryption for PC client software is largely invisible to the end user. The
only visible part is an entry in the user’s tool tray (the Endpoint Encryption icon).
Clicking on this icon allows the user to lock the PC with the screen saver (if the
administrator has set this option there one is selected). Right-clicking on the monitor
allows them to perform a manual synchronization with their Object Directory, or,
monitor the progress of any active synchronization.
Introduction
| 9
Normally the Endpoint Encryption client attempts to connect to its home server or
directory each time the machine boots, or, establishes a new dial-up connection.
During this process, any configuration changes made by the Endpoint Encryption
administrator are collected and implemented by the Endpoint Encryption client. In
addition, information such as the last audit logs are uploaded to the directory.
Endpoint Encryption File Encryptor By right clicking on a file, users can elect to encrypt it using various keys. Files can be
encrypted with other Endpoint Encryption users’ keys, and/or passwords.
Once protected in this way the file can be sent elsewhere, e.g. via e-mail or a floppy
disk, without the risk of disclosure.
When the file needs to be used, it just needs to be double clicked; a password or login
prompt will be presented for authentication. If they are authenticated correctly, the
file will be decrypted.
The File Encryptor also has an option to create an RSA key pair for recovery – if the
password to a file is lost, then the file can still be recovered using the correct recovery
key.
Endpoint Encryption Connector Manager
Figure 2. Endpoint Encryption Connector Manager
Endpoint Encryption’s object directory keeps track of security information. It is
designed so that synchronization of details between Endpoint Encryption and other
systems is possible.
Introduction
10 |
The Connector Manager is a customizable module which enables data from systems
such as X500 directories (commonly used in PKI infrastructures) to propagate to the
Endpoint Encryption Object Directory. Using this mechanism, it is possible to replicate
details such as a user’s account status between Endpoint Encryption for PC and other
"directories".
Current connector options include LDAP, Active Directory, and a NT Domain Connector.
For information on these components, contact your Endpoint Encryption
representative, or, see the Endpoint Encryption Manager Administration Guide.
Install and Deployment Endpoint Encryption is installed on users PCs by running small deploy sets created by
the Endpoint Encryption Manager. This executable file contains the core components
and drivers needed to enable Endpoint Encryption on a user’s machine.
With the increasing necessity of install mechanisms which do not involve end users,
and software industries striving to make the cost of ownership and implementation of
products as small as possible, Endpoint Encryption for PC utilizes "smart-update" type
technology.
With this mechanism, only a small amount of code needs to be placed on the client
machine to facilitate installation. The remaining code modules are downloaded on
demand from either central Endpoint Encryption Servers (in the case of a network
install), or from a local compressed directory (in the case of a standalone PC). With
network connected machines, this gives the additional benefit of being able to update
Endpoint Encryption files simply by updating the data stored in the Object Directory.
Endpoint Encryption’s file deploy mechanism can also be used to "push" other files to
Endpoint Encryption protected machine, for instance virus databases can be stored in
the central Endpoint Encryption directory, when it needs updating a Endpoint
Encryption administrator upgrades the central copy. All Endpoint Encryption protected
machines notice the change and automatically download the new file. This deploy
mechanism can also be used to make registry changes on remote machines and can
even execute files.
Installing the Endpoint Encryption Manager
| 11
Installing the Endpoint Encryption Manager
NOTE: If you are unfamiliar with Endpoint Encryption, you should follow the Endpoint Encryption for PC
Quick Start Guide which describes setting up an Endpoint Encryption enterprise. Please read the Quick Start
guide before tackling any of the topics in this guide. You will find this in your Endpoint Encryption box, or,
on your Endpoint Encryption CD.
The Endpoint Encryption Manager is the administration tool for managing all Endpoint
Encryption aware applications.
Install it by running the appropriate setup.exe from the Endpoint Encryption CD or
download. You should run this first on the machine that will be the “master” or
administrators machine.
The Endpoint Encryption Manager will now be installed on your machine. Follow the
on-screen prompts to install the software: you may be prompted to select a language,
a smart card reader, and encryption algorithm. For more information on these options
please see the Encryption Manager Administration Guide. Once completed you may
need to restart your system.
The Endpoint Encryption Management suite adds some items to your start menu:
Endpoint Encryption Manager which starts the management console; the Database
Server which starts the communication server and provides encrypted links between
clients and the configuration.
After rebooting, run the Endpoint Encryption Manager program. A wizard will walk you
through the creation of a new Endpoint Encryption directory. If you have an existing
Object Directory in your network, you can connect to it by cancelling the wizard and
manually configuring a connection.
For more information on the Endpoint Encryption Manager please see the Endpoint
Encryption Manager Administration Guide.
Endpoint Encryption for PC User Policies
12 |
Endpoint Encryption for PC User Policies
The following sections describe the Endpoint Encryption specific parameters.
User Administration Functions
Create Token This option creates a new Token for the selected user - this could be a soft (password)
token or a hard token such as a smart card or eToken. See the Token Operation
chapter for more information.
In the case of hard tokens, creating the token does not necessarily set the user to
actually use that token. This must be accomplished separately from the user’s Token
properties page.
Reset Token This option resets the token authentication to the default. In the case of the soft
(password) token resets the password to 12345.
Some hard tokens may not be able to be reset using Endpoint Encryption, for
example, Datakey Smart Cards. In this case contact the manufacturer of your token to
determine the correct re-use procedure.
Set SSO Details This option sets the Single-Sign-On details for the user. For more information on SSO
see the Windows Logon Features chapter.
Force Password Change at Next Logon This option Forces the user to change password at their next logon.
View Audit This option displays the audit for the user - for more information see the Auditing
chapter.
Reset (All) to Group Configuration This option resets the configuration of the users, or, all the users in the group, to the
groups configuration.
Endpoint Encryption for PC User Policies
| 13
Create Copy This option creates a new object based on the selected object.
Properties This option displays the properties of the selected object.
User configuration Options
General
Figure 3. User Options ‐ General
Auto-boot users
The special user id “$autoboot$”, with a password of “12345”, can be used to auto-
boot a Endpoint Encryption protected machine. This option is useful if an auto-boot of
a machine is required, for example, when updating software using a distribution
package such as SMS or Zenworks. However, this ID should be used with caution as it
effectively bypasses the security of Endpoint Encryption.
Enabled
This option shows whether the user account is enabled or not. The enabled status is
always user selectable.
When an Endpoint Encryption for PC protected system synchronizes with the Endpoint
Encryption Manager, it checks the user account list to ensure that the currently logged
on user is still valid (because they logged on at a boot time before the network and
Object Directory were available).
Endpoint Encryption for PC User Policies
14 |
Users with disabled accounts, or users who have been removed from the user list, will
find their workstation will lock and they will be unable to log in.
NOTE: If you want to force an Endpoint Encryption machine to synchronize (and hence immediately stop
the user from accessing the machine), you can use the "force sync" option to force an update. See the Force
Synchronization chapter.
Devices
Figure 4. User Configuration ‐ Devices
Floppy Disk Access
Users can be prevented from accessing the floppy disk or, from writing to it. You can
also elect to allow only encrypted floppy disks: in this situation the user must format
their own disks, which only they can then use. Note: the disk is encrypted with the
user’s personal key.
Ports
Endpoint Encryption can attempt to block access to the serial and/or parallel ports.
This blocking is implemented after the operating system has booted. Therefore, if the
machine has a serial mouse, it will still function. Likewise a printer connected to the
parallel port will still function. This option is designed to stop users adding serial and
parallel devices AFTER the machine has booted.
NOTE: The McAfee Port Control product provides granular device access by allowing you to take detailed
control of the devices which are available to your users.
Endpoint Encryption for PC User Policies
| 15
Application Control
Figure 5 User Configuration ‐ Application Control
Endpoint Encryption includes an innovative application blocking system which can be
used to restrict what code can actually be run by a user. For more information on this
feature see the Trusted Applications chapter.
List Contains Untrusted Applications
This option allows you to specify files in the listed file hash sets that should be blocked
(untrusted). All unlisted executable files will be permitted to execute code (trusted).
List Contains Trusted Applications
This option allows you to specify files in the listed file hash sets that will be permitted
to execute code (trusted). All unlisted executable files will be blocked (untrusted).
Enable Blocking of Untrusted Applications
This option blocks code from executing untrusted applications. If this option is not set,
then any code can run. This is a debugging option.
Enable Logging of Executed Applications
This option makes a record of files that try to execute code. A status message
indicating whether the file is trusted or not, is written to the SBAPPLOG.TXT file. This
feature is useful for debugging trusted application file sets.
Using Tokens with Endpoint Encryption for PC
16 |
Using Tokens with Endpoint Encryption for PC
Endpoint Encryption supports many different types of logon token, for example
passwords, smart cards, Aladdin eToken, and others. Before a user can use a non-
password token, you must ensure any machine they are going to use has been
suitably prepared.
Supported Smart Cards and Tokens The link below contains the supported smart cards and tokens:
https://kc.mcafee.com/corporate/index?page=content&id=pd20895
General Token Operation.
Hardware Device Support
Ensure the machine has the appropriate Windows drivers for the hardware tokens it
needs to support. For example, if you intend to use Aladdin eTokens you need to
install the Aladdin eToken RTE (Run Time Environment).
If you intend to use smart cards, you need to ensure that a Endpoint Encryption
supported smart card reader is installed, along with its drivers – for example the
Mako/Infineer LT4000 PCMCIA smart card reader must be installed.
In both cases, the appropriate device drivers are available either direct from the
manufacturer, or from the Endpoint Encryption install CD in the \Tools directory.
Endpoint Encryption for PC Driver Support
Once you have installed hardware support for the devices, you can enable software
support for them: from the machine, or machine group Properties window, select
the “Files” properties pane and tick the appropriate options for the tokens you want
the machine, or group of machines, to support, e.g. if you want the machines to
support eTokens, select the “eToken PRO Client Token” file group. To support the
Mako/Infineer Smart Card reader, select “Infineer Smart Card Reader” file set.
NOTE: You should also note that some USB key tokens are in fact a combined USB Smart Card reader and
USB Device in one unit, therefore, you need to add USB CCID Smart Card reader support to your Endpoint
Encryption for PC clients for them to work. See the Token Compatibility section later in this chapter for
information on the tokens which are of this nature.
Using Tokens with Endpoint Encryption for PC
| 17
Assign the token to the user and create it.
From the user’s Token properties pane, select the token you want that user to log in
with. Endpoint Encryption will prompt you to insert the token and will create the
appropriate data files on it.
If all steps are followed, when you install Endpoint Encryption, or after the machines
synchronize, users will be able to log in using their new token.
NOTE: When learning how to use Endpoint Encryption, we advise you always leave at least one password‐
only user assigned to machines in case you make a mistake when setting up token support.
Stored Value Tokens Endpoint Encryption can store user keys on certain tokens, such as smart cards or
USB keys such as the Aladdin eToken.
Storage tokens host around 1KB of data unique to the Endpoint Encryption
environment and user, on each token. They are configured within the Endpoint
Encryption Manager for the specific user before they can be used.
Tokens offer the following advantages over passwords:
• The users key is not stored on the users machine, and is protected from brute
force attack by the microprocessor of the token
• The same token can be used to authenticate to many systems
• Tokens can be used for other physical purposes, for example door access
systems
Certificate, or “Crypt Only” tokens Endpoint Encryption can leverage your investment in PKI and tokens to allow users to
authenticate using their certificates. This can be quite advantageous in the corporate
environment for the following reasons:
• Leverage investment in PKI and existing tokens
• Tokens do not need to be provisioned specifically for Endpoint Encryption
• Users can login to Windows etc using their PKI certificates
• Revocation of certificates denies access to Endpoint Encryption-protected PCs
By using one of Endpoint Encryption’s certificate connectors, you can quickly make
your Endpoint Encryption enterprise aware of all certificate-holding users, and can
allow them to be allocated to computers using Endpoint Encryption for PC without
having to create new smart cards or other forms of token for them to use.
Using Tokens with Endpoint Encryption for PC
18 |
Endpoint Encryption has been tested with the following tokens and PKI environments –
more tokens and PKIs are being developed so if your environment is not listed, please
contact your Endpoint Encryption representative for the latest information.
You can use any token with any PKI.
How Certificate Tokens Work
Certificate tokens leverage the unique one-way properties of public-key encryption: a
piece of data can be encrypted for a user, using some public information, but cannot
be subsequently decrypted with that same information.
Endpoint Encryption uses the information stored in the public certificate store of a PKI
to look up users and encrypt their unique key with the public key stored in their
certificate. This online process is handled transparently by one of the Endpoint
Encryption Connectors.
Once encrypted, Endpoint Encryption stores the information within its policy store, and
makes it available to all Endpoint Encryption-aware applications: for example, with
Endpoint Encryption for PC, the user’s key encrypted with their public key is stored on
each machine the user is assigned to. When a user tries to login, Endpoint Encryption
sends their encrypted user key to their token and asks it to be decrypted using the
private key stored on the token. The actual decryption happens securely within the
microprocessor of the token and only after the user has supplied the correct token PIN
or password. This ensures the user’s decryption key (private key) never has to leave
the token.
Once decrypted, the resulting user key can be used to authenticate the user.
You can see from this process that there is no need for Endpoint Encryption to have
prior experience, or to have stored anything on the users token. All the information
Endpoint Encryption needs to prepare the system can be obtained online through the
PKI certificate server.
Certificate Connectors
Setting up Certificate tokens is the responsibility of the Endpoint Encryption Certificate
connectors – these are available for both Active Directory and LDAP systems, and
more information on configuring them can be found in the Endpoint Encryption
Manager Administration Guide, in the Active Directory Connector and LDAP Connector
chapters.
The connectors can search AD and LDAP directories for users, and create them in
Endpoint Encryption based on certain criteria. The connectors can also monitor CRL
Using Tokens with Endpoint Encryption for PC
| 19
lists for revoked certificates, and also automatically handle the rollover of certificates
on expiry.
Other Types Of Token There are other types of token also supported by Endpoint Encryption, such as
Biometric and Cognometric tokens. For more information on these tokens please
contact the manufacturer or your distributor
Other Tokens Supported in Endpoint Encryption for PC:
• Sony Puppy Biometric Reader (http://www.sony.co.jp/puppy/)
• RealUser Passfaces (5http://www.realuser.com)
• Infineon Embedded TPM Chip
• Security Chip: TPM (TCG V1.2) with Infineon Package versions: InfineonTPM
Professional Package V2.5 and InfineonTPM Professional Package V2.5 SP1
• Upek Fingerprint Reader
Token Compatibility Endpoint Encryption supports many tokens, but due to the pre-boot nature of Endpoint
Encryption for PC, not all tokens are supported in all environments. If you have a
specific token requirement, please contact your Endpoint Encryption representative for
the latest information. Please also see the token overview spreadsheet. Contact your
McAfee representative for further details.
Some USB key tokens are a combined USB Smart Card reader and USB Device in one
unit. You therefore need to add USB CCID Smart Card reader support to your Endpoint
Encryption for PC clients, to enable them to work.
Specific Token Notes
RSA SID800 USB Token
Storage token supported pre-boot. This token requires firmware 1.01.33 or higher.
ActivIdentity Smart Cards and USB Keys
These modules support ActivIdentity 64K v1 (card profile S4), ActivIdentity 64K v2
(card profile O4) and ActivIdentity 64K v2C (card profile S4 Cards. You can choose to
use the card in Stored Value mode, or Certificate mode. The Tested ActivIdentity
ActivKeys are AAK300 version (product code ZFG-3007-AB).
Using Tokens with Endpoint Encryption for PC
20 |
Infineon Embedded TPM Chip
The Infineon Trusted Platform Module (TPM) on Fujitsu PCs can be used as a token for
Endpoint Encryption allowing:
• Authentication to Endpoint Encryption Manager
• Pre-Boot Authentication
• Screensaver Authentication
NOTE: If you use TPM as a token for Endpoint Encryption Manager, ensure that the UserID is not used on
any other PC with a TPM. If it is, it will be locked to that PC from then on.
The embedded TPM chip, in its simplest form, can be envisaged as a smart card
physically attached to the motherboard of the PC. The TPM (Trusted Platform Module)
can perform similar cryptographic operations to PKI smart cards, such as encryption,
decryption, key generation, signing of data etc.
With the Endpoint Encryption TPM module, the TPM chip is used to secure a users
logon credentials. This means once initialized the users unique secret key is removed
from the Endpoint Encryption environment and secured by the TPM chip. The user
from this stage onwards will only be able to login to that particular machine.
Conversion from password mode to TPM mode is automatic and occurs as soon as the
user uses their account on a TPM protected machine. From activation onwards, that
Endpoint Encryption user will only be able to log into the machine on which the TPM
chip holds their keys.
Pre-Requisites for Endpoint Encryption Pre-Boot TPM Support
• Endpoint Encryption
• PC with Infineon TPM Chip installed (TCG Spec. Version 1.2)
Endpoint Encryption's TPM module also requires that the TPM be "initialized". This
involves creating the Endorsement Key, Storage Root Key and setting an Owner
password. If this is not done, Endpoint Encryption will find the TPM and try to convert
the user to use it at first logon, but the operation will fail and the user will not be able
to logon.
• Infineon TPM Professional Package (Version 2.5)
• Infineon TPM Professional Package (Version 2.5 SP1)
The TPM initialization process is performed by the Infineon software after you install it.
The TPM Chip must be enabled in the BIOS on the target PC.
Using Tokens with Endpoint Encryption for PC
| 21
The TPM has to be enabled in the BIOS (which it is not by default). Until it is enabled,
it is essentially not present as far as Endpoint Encryption and Infineon software is
concerned. If you try to install the Infineon software with TPM disabled, it will warn
you that the "Infineon TPM not found" and abort the install (exactly as it does on
machines without a TPM).
Endpoint Encryption has been tested with the following TPM Components:
• Infineon TPM Professional Package v2.5 HF2
- Chip State = Enabled
- Owner State = Initialized
- User State = Initialized
• Trusted Platform Module
- TCG Spec. Version = 1.2
- Vendor = Infineon Technologies AG
- Chip Version = SLB 9635 TT 1.2 (41313100) FW Version = 1.00 FW
ROM CRC = 0x4028
• TPM Device Driver
- File name = ifxtpm.sys (x86)
- Version = 1.80.0002.00 built by: WinDDK
• TPM Device Driver Library
- File name = IFXTPM.dll
- Version = 2.50.0771.00
Configuring the TPM on the target PC
The following instructions detail how to enable TPM support for a user on a target PC:
1. From the system tray double-click the TPM icon or from Start All
Programs Infineon Security Platform solution Manage Security
Platform.
2. Click on the User Settings tab.
3. Click on the Basic User Password Change button.
4. Follow the on screen instructions to register password for the TPM.
5. When you have successfully created the TPM password, exit the application.
Using Tokens with Endpoint Encryption for PC
22 |
Endpoint Encryption for PC setup
1. Install Endpoint Encryption for PC with TPM support.
2. Login to the Endpoint Encryption Manager.
3. Click on Devices and from Endpoint Encryption Machine Groups add a
new machine group.
4. Right click on the machine group and select Properties.
5. Click on the Files icon and select TPM Machine Chip. Apply these settings.
6. Click on the Users tab and create an Endpoint Encryption user
7. Right click on the new Endpoint Encryption user and select Properties.
8. Assign an Infineon Embedded TPM Chip to the user and apply these settings
(Note: the Configure option does not apply to the Puppy token).
9. Assign the user to the machine group.
10. Create an install set from the machine group.
Installing Endpoint Encryption with TPM
1. Install Endpoint Encryption on the client PC using the newly created install
set.
2. Reboot and synchronize with the Endpoint Encryption database.
3. Login to the Pre-Boot authentication using the default password “12345”.
4. When prompted to change the password, select the same password as the
Basic User password for the TPM.
5. After the PCs next boot, the password for the TPM will be the TPM Basic
User password.
6. Reboot the machine and logon at PBA by selecting the Sony Puppy token.
Recovery
When a user password recovery is performed Endpoint Encryption will reset the
password to the default ‘12345’ and will allow the user to login. The user will be
prompted to change the password. Select a new password and ensure that you change
the TPM password to the new one before rebooting the PC.
Sony Puppy Fingerprint Reader The Sony Puppy can be used as a token for Endpoint Encryption allowing:
Using Tokens with Endpoint Encryption for PC
| 23
• Authentication to Endpoint Encryption Manager
• Pre-Boot Authentication
• Screensaver Authentication
The Puppy allows two mode of operation: Fingerprint or Password. This means that if a
user fails to login using their fingerprint, they can do so using their password.
Requirements to use Sony Puppy with Endpoint Encryption
1. Puppy Suite Enterprise / Personal - v2.1 or later
2. Sony Puppy device (FIU-810-N03)
3. Endpoint Encryption V5.0
The following instructions detail how to enable Sony Puppy Support for a user. For this
you will need to have a new Sony Puppy or Reset an exsiting one using the Sony
Puppy Administration Tools.
Step 1. Setup the Sony Puppy Fingerprint Reader
1. Install the Sony Puppy software - SC-API 810 setup (Basic).
2. Plug the Sony Puppy finger-print reader into an available USB Port.
3. Click Start All Programs FIU-810 tools User Manager
4. Follow the on screen instructions to register a User Name and Fingerprint /
Password for the device.
5. When you have successfully created the Sony Puppy User and registered
your fingerprint(s) exit the application.
Step 2. Endpoint Encryption for PC setup
1. Install Endpoint Encryption for PC with Sony Puppy support.
2. Login to the Endpoint Encryption Manager.
3. Click on Devices and from Endpoint Encryption Machine Groups, add a
new machine group.
4. Right click on the Machine Group and select Properties.
5. Click on the Files icon and select Sony Puppy Client Files.
6 Apply these settings.
7. Click on the Users tab and create a Endpoint Encryption user (Keep a note
of the UserID).
Using Tokens with Endpoint Encryption for PC
24 |
8. Right click on the new Endpoint Encryption user and select Properties.
9. Assign a Puppy token to the User and apply these settings. (Note: the
configure option does not work with the Puppy token).
10. Assign the user to the machine group.
11. Create an install set from the machine group.
Step 3. Installing Endpoint Encryption with Puppy Support
1. Install Endpoint Encryption for PC on the client using the newly created
install set.
2. Once installed, start SbPuppytrainer.exe from the default Endpoint
Encryption directory.
3. Select Train Puppy from the menu. The logon screen will appear.
4. Select Use Endpoint Encryption Username and enter the User ID and
Password of the Endpoint Encryption user and click the Logon with
Password button. You will be asked to verify your fingerprint.
5. Place your finger on the reader and it should verify OK. The training is
complete. You may Reboot the machine and logon at PBA by selecting the
Sony Puppy token.
Aladdin eToken 64KB Tokens with id 0x0514 and 0x0600 are supported. Tokens 0x050c are no longer
supported as they are discontinued by Aladdin.
This token module requires Aladdin RTE 3.65 to be installed.
SafeNet IKEY 2032 Requires the v3.4.7 drivers as available from 6www.safenet.com. The Windows update
drivers do not function. This token is supported in Storage Mode only.
Endpoint Encryption Phantom USB Biometric Key The Endpoint Encryption Phantom is a combined USB storage + Biometric
authentication token. To use it for Endpoint Encryption for PC Pre-Boot:
Step 1.
Create a user and assign their finger within the USB Phantom by running
SMCforUSB.exe (this is the USB Management utility):
1. Create user
Using Tokens with Endpoint Encryption for PC
| 25
2. Enroll user i.e. register finger
3. Assign a partition to the user
Step 2.
1. From the Endpoint Encryption Manager create a user account for the user
name created in step 1.
2. Assign Endpoint Encryption for USB token to user (default token is password)
Note: The default in EEPC is to create a default password of 12345.
Step 3.
Define the Machine Policy which should include file sets:
• Endpoint Encryption for PC client files
• READER: USB CCID smart card
• TOKEN V5x: Endpoint Encryption for USB Phantom client files
Step 4.
Create online installation set note: assign user or user group to the machine as part of
machine policy.
Step 5.
Install Endpoint Encryption for PC on the client computer.
After the second reboot, the client should see the preboot authentication screen. This
will have the password and Endpoint Encryption for USB token options.
Step 7.
Select Endpoint Encryption for USB which should generate a Endpoint Encryption
Biometric challenge screen:
1. Attach USB phantom to PC.
2. Swipe enrolled finger on USB Phantom
3. Tick the box for user listed Provide User Name.
The standard Endpoint Encryption logon screen should appear which will require the
SAME user name to be entered as the one registered with the USB Phantom. At this
point you will need to enter the default Endpoint Encryption password of 12345 which
will marry the Endpoint Encryption for PC client with the USB phantom. This step has
completed the integration of Endpoint Encryption for PC with the USB phantom.
The PC should now boot into Windows. After rebooting the client you will be prompted
to authenticate via the USB Phantom biometric reader.
Using Tokens with Endpoint Encryption for PC
26 |
Upek Fingerprint Reader Before the Upek fingerprint reader can be used as an authentication device the
following steps must be performed:
1. The Upek Protector Suite QL software must be installed and configured on the
client machine. The software can be found on the McAfee Endpoint Encryption
Tools download. Please consult your McAfee representative for further
information.
2. From the Endpoint Encryption Manager:
• Create a file group for the Upek token and import the token files:
SbTokenUpek.dll and SbTokenUpek.dlm. See the File Groups and
Management chapter for further information.
• The Upek file group must be assigned to the machine or machine group.
• The fingerprint reader must be assigned to a user or a user group. See the
user or user group Properties Tokens screen.
3. The user logs onto the client machine using the Upek token module in
password mode.
4. The user will be presented with a dialog which will ask them to register their
fingerprints with Endpoint Encryption; the user configures the fingerprint
reader to work with one or more of their fingerprints.
5. From then on the user will need to authenticate to Endpoint Encryption with
their fingerprint instead of a password.
Creating and Configuring Machines
| 27
Creating and Configuring Machines The Object Directory contains a unique record for every machine attached to it. When
Endpoint Encryption installs, it creates a record either directly in the Object Directory
or in a transfer directory for later inclusion – this “object” contains the machine’s
encryption key, hard drive geometry, and secure configuration.
Each user machine periodically tries to connect to its parent directory to check that its
local configuration matches the centrally defined one. If there are any differences, the
local machine reconfigures itself to match. You can change any aspect of the
machine’s configuration centrally; these changes get applied to the machine the next
time it synchronizes.
Machines normally create their own object in the directory when Endpoint Encryption
first installs, this happens automatically if you use a Group Install Set (see the
Creating an Install Package chapter), but you can pre-create a “placeholder” object for
the machine, set a unique custom configuration for it, and then create an install set for
that object only.
Users are assigned to machines and machine groups. When the machine synchronizes
it compares its local user list with that in its Object Directory entry. Any changes are
made in real time, including disabling the current user if their account status becomes
removed or disabled.
Machine Administration Functions (right-click menu)
Create Machine
The Create Machine option creates a new “placeholder” machine definition. If in the
future a new machine with the same network name tries to install itself into the group,
it will take over the placeholder object and use the configuration set within it.
Rename
This option changes the Endpoint Encryption name of the machine.
This does not affect the machines network name which can be seen from the General
Properties page.
Creating and Configuring Machines
28 |
Delete
This option deletes the machine entry – you will be given the opportunity to
“Permanently Delete” the machine, or to move the machine to the Recycle Bin (where
it can be later restored, if necessary).
Import Machines
This option imports a machine definition into the group - This definition could be from
a machine created using an Offline Install (see Offline Package Installs for further
information) or from an export from another database.
Export Configuration
This option exports the configuration information for a machine (.sdb file) which can
be used for diagnostic or troubleshooting tasks or for import into an alternate
database.
Create Install Set
Creates a package of all the files and configuration needed to install Endpoint
Encryption - for more information, see Installing, Upgrading and Removing Endpoint
Encryption for PC.
Force Synchronization
You can elect to force a machine (or group of machines), which are online to perform
immediate configuration synchronization. You would perhaps do this if you have
removed a user from a group (or disabled them) and it is imperative that they are
disabled immediately, or a user has a configuration issue that needs resolving.
To do this, select the machine (or machine group) in question, and use the "Force
Synchronization" option from the window menu or right-click menu. The Endpoint
Encryption Manager sends a short message to the machine in question (using its
stored DNS or IP address) telling it to perform an immediate synchronization to update
its policies.
If you "Force Sync" a machine that is not online, or refuses the request because
Endpoint Encryption is no longer installed, an error message is generated. If Endpoint
Encryption is already in the process of performing a configuration change on the
remote machine, the sync request is ignored.
Reboot Machine
You can select the “Reboot Machine” option to attempt to reboot one or many
machines – this sends a message to the machines in question telling them to perform
Creating and Configuring Machines
| 29
an immediate shutdown. Users may not be given enough time to save their work, so
this feature should be used with caution.
You can configure the messages and timeout of the reboot option by editing the
SCM.ini file, as explained in Endpoint Encryption Configuration Files chapter of this
guide.
There are some instances when Windows will prevent remote rebooting of a system,
e.g. while the screen-saver is active.
Lock Machine
You can remotely activate the screen saver on a given machine by using the “Lock
Machine” command. Both machines and groups of machines can be locked in this way.
Add Users
You can add a number of users to a collection of machines using this option – You can
select the machine, or combination of machines you want to add users to from a group
or search window.
View Audit
This option displays the audit for the machine. For more information see the Auditing
chapter.
Reset to Group Configuration
Resets the configuration of the Machine, or all the machines in the group, to the
groups configuration. Optionally, it sets the user list to match the group user list.
Create Copy
Creates a new object based on the selected object.
Properties
This option displays the properties of the selected object.
Machine Configuration Options The following configuration options can be set for machines, or groups of machines.
Machine Groups
Description
You can enter a text description for a machine group, such as the physical location of
the machines.
Creating and Configuring Machines
30 |
General
Figure 6. Boot Protection and General Options
Boot Protection
The status of Endpoint Encryption can be set in one of four modes. Both the desired
and current protection status is shown.
Disabled – Endpoint Encryption is installed and listening, but is not securing
the computer. You can change the status to another mode and this will be
reflected at the next synchronization
Enabled – Endpoint Encryption is protecting the machine, and requiring users
to logon.
Remove – Endpoint Encryption will decrypt and uninstall itself at the next
synchronization
Remove and Reboot – as above, with the addition that Endpoint Encryption
will automatically reboot the machine after uninstalling.
Removed – Endpoint Encryption is no longer installed on the machine, and its
entry can be deleted from the directory.
Note: If you select Remove and let the machine uninstall Endpoint Encryption, remember to delete the
entry from the directory, or, set the protection back to Enable before re‐installing Endpoint Encryption. If
you forget this, then as soon as the new install connects, it will remove itself again.
Description
This field allows you to enter a text description of the machine, such as its
specification, model or physical location.
Creating and Configuring Machines
| 31
Network Name
The machines logical network name - you can find and filter the Machine tree for the
machines name using the “Object/Filter” option.
Options
Windows Logon
Require Endpoint Encryption Logon – Endpoint Encryption takes control of the
normal windows logon screen, and screen saver logon. Users will be prompted for
their Endpoint Encryption for PC credentials.
Attempt automatic Windows Logon – Endpoint Encryption tracks the user’s
Windows id, password and domain, and presents these automatically to windows logon
boxes. This mechanism means once the user has authenticated to Endpoint Encryption
at the boot screen, they do not need to enter any more passwords for Windows.
NOTE: If the user’s Windows credentials are different from their Endpoint Encryption for PC credentials,
Endpoint Encryption stores the windows credentials the first time they are used. It may take two reboots
before the single sign on becomes active.
Require Endpoint Encryption re-logon – If the user logs out of Windows, Endpoint
Encryption will control the login box for the next login.
Automatically logon as boot user – If there are no stored Windows credentials for
the user, Endpoint Encryption tries to login to Windows with the user’s Endpoint
Encryption credentials.
Endpoint Encryption logon component always active – If selected, the Endpoint
Encryption login component is kept active on the machine even if all the other options
are disabled. This means that it can be reactivated mid-session during synchronization
with the Object Directory. If all options are deactivated, the Endpoint Encryption logon
component can only be reactivated after a reboot.
Set Endpoint Encryption Password to Windows Password – If the Windows and
Endpoint Encryption login passwords differ, Users will be prompted to set the Endpoint
Encryption password to the Windows password. Also, if the user changes their
password in Windows, their Endpoint Encryption password will be set to match.
Must Match Windows user name – If a users Endpoint Encryption and Windows
user ID’s do not match, no SSO credentials will be stored for the user if this option is
enabled. This prevents an administrators Windows credentials being associated with a
normal user’s Endpoint Encryption account in the case that the normal user logged in
at pre-boot, but then an administrator authenticated to Windows.
Creating and Configuring Machines
32 |
Booting
Allow Booting from the hard disk – If disabled, users will have to boot the machine
with a machine bootable token such as a Endpoint Encryption Floppy Disk. This adds
the additional security in that the machine is inaccessible without the token. NOTE:
This option is not available with Endpoint Encryption version 4.1 or later.
Virus Protection
Enable MBR Virus protection – Endpoint Encryption monitors boot sector activity,
and prevents any program writing to it. Endpoint Encryption also monitors the bios
signature to further prevent boot viruses.
NOTE: If you have this option enabled and you move a protected hard disk between two machines,
Endpoint Encryption will detect this as a possible virus and prevent the machine being used until a virus
reset has been performed. For information on this procedure, see the chapter on WinTech and SafeTech.
Miscellaneous
Do not display previous user name – Hides the ID of the last logged on user in all
Endpoint Encryption logon dialogs, and changes the “Incorrect Password” and
“Unknown User ID” error messages to a generic message.
Reject Suspend/Hibernate Requests – This option stops the machine from
entering hibernation mode. Note: this option is not supported in Vista.
Disable Checking for T - This option switches off the $autoboot$ user support on
this machine. If the machine has many users assigned, this option can speed up the
boot time.
Do not lock after AutoBoot is removed – normally Endpoint Encryption locks the
workstation if the current logged in user is removed, or disabled, as part of a
synchronization event. This is to prevent the machine being used in the event that
there is no current user. Switching this option on stops the autolock happening if the
$autoboot$ user is removed, and may be useful in the case of automated software
updates.
Allow AutoBoot user to be managed locally – enables support for the “-
disablesecurity” and “-reenablesecurity” options of the Endpoint Encryption
Automation library – for more information on these options see the SBAdmCL Users
Guide.
Disable Clearing of status log – Prevents users from clearing the Client side status
log.
Creating and Configuring Machines
| 33
Always display On-screen keyboard – Forces the pre-boot to always display a
clickable on screen representation of the keyboard. This option is of most benefit to
TabletPC users.
Enable Boot Disk Compatibility – Some machines have BIOS code which mounts
USB disks as physical drives. This is an unusual mode of operation and means that
after Endpoint Encryption has finished it’s authentication, Windows will hang trying to
access the drive through the BIOS physical interface (because Endpoint Encryption is
also a 32 bit platform, it unloads all BIOS drives when it finishes). This option forces
the low-level Endpoint Encryption drivers to block access to disks other than the boot
disk meaning Windows will not detect these USB drives until the USB stack is
initialized. An alternate solution would be to unplug all USB drives before booting the
machine.
Always enable pre-boot USB support – This option forces the Endpoint Encryption
pre-boot code to always initialize the USB stack. Normally this option should not be
enabled as Endpoint Encryption will dynamically enable USB on demand.
Do Not Lock Workstation if no User is Authenticated – This option will stop the
client manager from locking the workstation after a synchronization if it finds there is
no current Endpoint Encryption user logged on, e.g. after the first synchronization
during the install or if the Endpoint Encryption user that is currently logged on is
removed.
Do Not Lock Workstation if User is Disabled – This prevents the client manager
from locking the workstation after a synchronization if the currently logged on
Endpoint Encryption user is disabled.
Encryption
Creating and Configuring Machines
34 |
Figure 7. Setting Drive Encryption
Before a machine has first synchronized with the Object Directory, or in the case of
the properties of a machine group, the Object Directory does not know what drives
and partitions are available to be encrypted. The Endpoint Encryption Manager
provides the ability to specify any partition name and elect to encrypt it.
Once the machine has synchronized, only the partitions present on it will be shown.
You can specify one of three encryption modes – “Full” encrypts the entire partition,
“Partial” encrypts only the first 10% of the drive, “None” leaves the drive in plain text
with no security. The “Last Reported Setting” can be used to verify if the machine has
applied recent configuration changes.
The “Last Reported Setting” for a drive is the exact state of encryption the last time
the machine reported to the Database.
NOTE: Partial encryption is designed to encrypt the directory structure and file allocation table on FAT
drives – it does not stop a competent hacker reassembling file data from the drive.
Encryption Mode
The Encryption Mode drop down menu lets you specify an encryption type for all drives
in a machine group:
Manually select the drives to encrypt
This option allows you to manually select the encryption type for each drive
using the Full, Partial or None buttons.
Never encrypt any drives
This option ensures no drives in the machine group will be encrypted.
Automatically encrypt all drives partially
This option will set all drives in the machine group to be partially encrypted.
Automatically encrypt all drives fully
This option will set all drives in the machine group to be fully encrypted.
Recovery key
You can boot a machine, or close the Endpoint Encryption screen saver without logging
on using the recovery process – this involves the user reading a small “challenge” of
18 characters from the machine to an administrator, then typing in a larger “response”
from the administrator. The recovery key size defines the exact length of this code
Creating and Configuring Machines
| 35
exchange. For more information see the Recovery Key chapter. A recovery key size of
“0” disables the machine recovery system.
Removable Devices
You can configure Endpoint Encryption for PC to also encrypt removable drives such as
USB/Firewire hard disks, Flash drives etc. Normally, Endpoint Encryption for PC only
protects physically attached hard disks, for example, IDE or SCSI hard disks. This is
because Endpoint Encryption for PC is related to the machine, not the user – it’s
impossible to share drives encrypted with Endpoint Encryption for PC between
different machines. If you need to share data amongst users and machines, please
consider using Endpoint Encryption for Files and Folders.
• Manually Select – Normally removable drives will not be show in the
encryption list. Selecting this option makes them visible.
• Always Encrypt – Forces encryption of removable drives.
• Never Encrypt – Prevents Endpoint Encryption from attaching its drivers to
removable disks – this is the default option.
Users
Figure 8. Allowed Users
You can add groups of users, and individual users, to a machine (or machine group).
Either drag and drop the user(s) from the user tree into the machine properties User
tab, or, use the “user picker” to select them. Although Endpoint Encryption supports
many hundreds of users on a single machine, we STRONGLY recommend that the
actual number of users assigned is minimized to the fewest possible. Every user added
to a machine is another possible account for a hacker to gain entry. There is no
Creating and Configuring Machines
36 |
purpose in adding entire departments of users to laptops which are used by only one
person.
Auto-boot users
Special user IDs containing the name “$autoboot$” with a password of “12345” can be
used to auto-boot a protected machine. This option is useful if an auto boot of a
machine is needed; for example, when updating software using a distribution package
such as SMS or Zenworks. These IDs should be used with caution however, as they
effectively bypass the security of Endpoint Encryption.
Any ID containing the string “$autoboot$” can be used, for example, “my$autoboot$”,
“$autoboot$123” etc.
By using more than one ID, you can improve database performance if many machines
are synchronizing the $autoboot$ account at the same time.
The process for creating an $autoboot$ user is:
1. Create the user.
2. Uncheck the Force password change at next logon.
3. Click the Devices tab.
4. Right-click the machine group (or machine, if preferred), and select
Properties.
5. Ensure the Disable checking for AutoBoot option is unchecked.
6. Ensure the Allow AutoBoot user to be managed locally and Allow
AutoBoot to be cancelled options are checked.
7. Click the Apply button to save these options.
The AutoBoot user is now ready. For further explanation of steps 5 and 6 see the
General section of Machine Configuration Options chapter.
You can also change the default password for the $autoboot$ accounts, to do so see
the section Autoboot.ini in Endpoint Encryption Configuration Files.
WARNING: It is quite possible to create a machine, or machine group, with no users assigned. If this
configuration is deployed then no one will be able to log on to that machine. To resolve this issue, use the
recovery “boot once” procedure, add some users to the machine in question, and then synchronize it again
to update the configuration.
Creating and Configuring Machines
| 37
Figure 9. Client Warning Text
Security Warning
Text displayed to the user in the Endpoint Encryption login box.
Recovery Message
Text displayed to the user when they select the “Recover” button. This may include
information such as their help desk telephone number.
Synchronization Settings
Figure 10. Synchronization Settings
Creating and Configuring Machines
38 |
Endpoint Encryption machines try to keep their local configuration the same as their
central directory configuration; they do this by periodically synchronizing changes with
the Object Directory. The default behavior is to synchronize on boot, but further
options can be set.
Automatically Resynchronize
Endpoint Encryption tries to contact the Object Directory every specified number of
minutes. If the directory cannot be contacted, the sync sleeps until the next period.
Allow Local Resynchronization
By right clicking on the Endpoint Encryption tool tray icon, the user can force a
synchronization event by selecting the Synchronize option. This feature can be
disabled.
Resynchronize when RAS connection is detected
This option causes a synchronization event to occur if the user dials up to the internet
/ intranet. Endpoint Encryption checks for new RAS (Remote Access Service)
connections every second.
Synchronize time with directory
This option sets the local machine time to the time of the server / directory it is
synchronizing with. If the user’s machine is in a different time zone to the server, the
correct local time will be set as long as their time zone is correct.
WARNING: This option is useful when logon hour restrictions are in place – without this time check the
user could set their system clock back to gain extra hours of machine use.
Disable Synchronization of Files
This option stops Endpoint Encryption monitoring file group changes and deploying
updates to the remote machines.
Allow remote controlled synchronization
This option allows an administrator initiate a synchronization event using the “Force
Sync” option. The Endpoint Encryption client sends its IP address to the Object
Directory each time it connects to enable the communication channel. The
communication port can be set between 0 and 65535. Note: The client IP will appear
in the Address field within the Synchronize settings screen of the machine’s Properties
screen.
Disable Access if not synchronized…
Creating and Configuring Machines
| 39
If a machine does not connect to its server within the specified number of days, then
all accounts will become disabled. This option prevents users continuing to use
machines offline from the Endpoint Encryption Object Database for extended periods
of time. Also, if a machine is stolen or lost, you can be assured that it will disable itself
after the timeout has passed.
Delay Sync at boot for…
You can specify an optional offset and random offset for the initial boot sync. This may
speed up the machine, and will also ensure any network load created by “9am
syndrome” is distributed over a longer period of time. You can set a value of Zero for
the delay time, this disables the initial synchronization.
The synchronization settings take effect once Endpoint Encryption has connected and
picked up its policy from the central object directory. You can pre-set the parameters
that Endpoint Encryption will use while it is trying to establish the initial first time
connection through settings in the file SCM.ini. More information on this file can be
found in Endpoint Encryption Configuration Files.
Files
Figure 11. Client File Groups
Select which groups of files need to be deployed to the machine. Typically the
Endpoint Encryption Client File group is deployed, along with optional token and
language files.
Some file groups may not be displayed in the list - Only file groups with the property
“Client File Sets” will be show.
Creating and Configuring Machines
40 |
You can add your own file groups for deployment to the Endpoint Encryption Object
Database – see the following chapter for more information.
If your Endpoint Encryption user account has group permissions set, Some file groups
assigned to the machine may be outside your control - in this case they will be marked
as locked groups. To gain the ability to change them, remove any “Group”
administration restrictions on your account.
Screen Saver
Figure 12. Screen Saver Properties
Enable Secure Screen Savers
Endpoint Encryption will take control over all screen savers, providing secure
authentication services. On Windows 2000, and XP, the “Windows Logon” options also
need to be configured.
Allow user access…
This option allows the user to change the local screen saver properties.
Run screen saver if token is removed…
If the current user’s token supports dynamic removal, e.g. a smart card or eToken,
then the screen saver will be activated if they remove the token from the machine.
Set Endpoint Encryption screen saver as default
This option sets the current selected screen saver to be the Endpoint Encryption
Screen Saver.
Allow logon of administrators…
Creating and Configuring Machines
| 41
This option allows administrators with accounts on machines greater than the specified
admin level to unlock a screen saver that has locked by a different user. If this option
is not set, then only the user who locked the machine can unlock it.
Set screen saver inactivity…
This option sets the timeout period for the screen saver.
Boot
Figure 13 ‐ Boot Properties
Boot Manager
Enable boot Manager
Switches on the built in pre-boot partition boot manager. Users can select which
primary partition on the hard disk they wish to boot.
You can control the display of the partitions which the user can select to via the file
“bootmanager.ini”. For information about this file, see the Endpoint Encryption
Configuration Files chapter of this guide.
Auto select After... seconds
This option allows you to select a period, which once it has expired, will cause the boot
manager to select the last used partition.
Graphics Mode
This menu allows you to specify the screen resolution for a machine or machines
within a group. The default option is “Default Graphics Mode” which supports
resolutions up to 1024x768. Note: if the selected mode is not supported on the
machine it will fall back to the default mode.
File Groups and Management
42 |
File Groups and Management
Figure 14. Endpoint Encryption File Groups
Endpoint Encryption for PC uses central collections of files, called Deploy Sets, to
manage what versions of files are used on remote Endpoint Encryption clients. When
an administrator updates a file in the central directory, all machines attached to that
Deploy Set automatically collect the new version of the file from the directory the next
time they synchronize. This mechanism can be used to update Endpoint Encryption
clients to future versions, or to manage any file on a Endpoint Encryption protected
machine - for instance, updating a virus database, or, a new version of an application.
You can assign multiple file sets to be used on each machine. Typically two are used,
the first for the core Endpoint Encryption files, the second for the language files. All
assigned sets are processed in the same way.
When the Endpoint Encryption Manager is installed, it automatically adds the entire
standard Endpoint Encryption administrator and client files into two core file groups:
Administration Center Files and Endpoint Encryption for PC 5 Client Files; it
also may create language sets, for example, English Language; two INI files -
ADMFILES.INI for the administrator files (determines the contents of the core groups)
and SBCLIENTFILESET.INI for the client files. These INI files can be edited to allow
custom collections of files to be quickly imported and then applied using the "Import
File Groups and Management
| 43
file list" menu option. For more information on ADMFILES.ini and SbClientFileSet.ini,
see the Endpoint Encryption Configuration Files chapter of this guide.
Other file sets created as standard include those to support login tokens, such as
smart card readers, and USB Key tokens.
Setting file group functions
Figure 15. File Group Content
You can specify the function of a file group by right-clicking it and selecting its
properties. Some file selection windows, for example the file selector for machines,
only display certain classes of file group (in this example, those marked as “Client
Files”).
Importing new files New files can be imported one by one into an existing deploy set using the "Import
files" menu option. Simply select the file. The Endpoint Encryption Manager will then
import it into the directory and add it to the deploy set. The default options for the file
mean that those machines using this deploy set it will NOT automatically receive a
download when they synchronize. This chapter contains further information on how to
achieve this. You can also import File Sets, for instance, to add a new option to the
Endpoint Encryption database.
Exporting Files You can export a file group, or an individual file back to a directory. This may be
useful, for example if you have an out of date administration system driver and there
is an updated file in the Object Directory.
File Groups and Management
44 |
Deleting Files You can delete individual files from a file set. In this case all machines that are
maintaining a link to the file through association will delete it from their local directory
at the next synchronization event.
Clients maintain a link to a particular file via its object id, not its name. If you delete a
file and re-import it, its id changes, clients will still delete the original and download
the new copy.
Setting File Properties To see the properties of a file, right click on the file in question and select "Properties".
Two screens of information are available: File Information and Advanced.
The name of the file is the actual name, which will be used when deploying the file on
the remote machine. The ID is the Object Directory object ID which is used as a
reference for the file from the client PC.
The version number is an incremental version of the file. When the file is updated, the
version is incremented. This is used by the clients to check whether an update is
needed. Other information such as the name of the user who imported the file and its
size may be shown.
Figure 16. File Properties, Advanced
File Types
Sets the type of the file.
Operating System
File Groups and Management
| 45
Because some files are only applicable to some operating system(s), the target
operating system(s) for the file must be selected. This is to prevent Windows NT
drivers being installed on Windows 98 machines, or windows 9x registry files being run
on Windows 2000 servers.
App ID
If you are installing file which is shared between multiple Endpoint Encryption
applications, you can specify this applications ID. This prevents one application from
installing files shared by another.
Update
Specify when Endpoint Encryption should update the file.
Adding components to a Machine
46 |
Adding components to a Machine To add new options, such as tokens, smart card readers, or other ancillary files to an
existing machine, or group of machines, simply check the desired options on their
Files tab.
Some combinations of options may be incompatible – for further information please
visit our web site, www.mcafee.com.
Using Endpoint Encryption as a File Deploy System
| 47
Using Endpoint Encryption as a File Deploy System
Endpoint Encryption’s internal file update mechanism can be used to synchronize any
file on an Endpoint Encryption protected machine.
When the Endpoint Encryption client performs synchronization, it compares its internal
file revision list with the revision of the files in the Object Directory. If any files have
been superseded (or are in the directory list but not in the local list), the Endpoint
Encryption downloads them.
The file type assigned in the Object Directory determines what happens to a file when
it is downloaded. The action can be summarized simply:
• Endpoint Encryption Registry File: Processed into registry
• Windows Registry File: Processed into registry using RegEdit
• Pre/post Installation Executable: Copied to specified location and Run either
before or after Endpoint Encryption.
• Any other file: Copied to specified location
Example - Copying a new file to the desktop This example shows how to set up a new text file that will be copied to the user’s
desktop when they synchronize.
Step 1. Checking the File Group settings
From the properties of the machine (or controlled machine group) you want to update,
check which file groups are assigned. The default file group is EEPC1: Endpoint
Encryption for PC 5.1.2 Client Files. You can create new file groups specifically for
your custom files and assign them to machines if you so wish.
Step 2. Adding the new text file
1. Select the file group from step 1, and then use the Import Files option (right-
click inside the File Group window).
2. Select the new file you want to import, for example, "message.txt". Once
imported, select the new file and go to its Advanced Properties box.
Because we are importing a "Known" file type, the file location will be set
automatically to [appdir]. We will override this with the location we want to send the
file to, in this case c:\windows\desktop. We also want this file to be deployed on all
operating systems, so we check all the boxes.
Using Endpoint Encryption as a File Deploy System
48 |
Figure 17. Setting the new text file permissions.
Now, next time the machine synchronizes, it will notice the new file, and download it
into its c:\windows\desktop directory. If the file was defined as a type of Endpoint
Encryption or Windows Registry file, it would be applied. If it was marked as an
"Installation Executable", it would be run.
You can test this behavior by forcing the machine to resynchronize using either the
"Force Sync" option from the Endpoint Encryption Manager, or from the Endpoint
Encryption client tool tray Icon right-click menu.
The file "message.txt" should appear on the desktop, and the status window of the
client should reflect the change.
More information on the Endpoint Encryption file deployment mechanism can be found
in the File Groups and Management chapter.
Creating an Install Package
| 49
Creating an Install Package Endpoint Encryption client is installed by running a special archive file created from the
Endpoint Encryption Manager. This archive file contains all the components necessary
to install Endpoint Encryption.
The Endpoint Encryption Manager compresses the files needed into a single self-
contained executable for ease of management. Deploy sets can be created for Machine
groups, and individual machines for both fully online, and temporary offline situations.
This chapter deals with creating the install package, for information on how to apply it,
see the Installing, Upgrading and Removing Endpoint Encryption for PC chapter.
Selecting the Group / Machine The First step in creating an install set is to select the object you want to create the
set for, e.g. an individual machine or a machine group. Install sets created for a
machine can only be used to install that one machine - the target PC always takes the
database entry the install set was created for. Sets created for groups of machines can
be used to install any number of machines in that group - each machine looks in the
deployed group for its name - if found it uses that object. If not, it creates a new
object based on its network name.
Select the Install Set type
Figure 18. Creating an Installation Set
For the second step you need to determine whether you expect the machine to be
online or offline at the time of install.
Creating an Install Package
50 |
Online Installs Online installations expect the master Object Directory (the directory the administrator
is currently connected to) to be available via the LAN during the install process. Once
Endpoint Encryption for PC is installed, after the next boot, Endpoint Encryption will
contact the Object Directory and download all the configuration and object data for the
machine and users.
If a "placeholder" object for the machine name exists (a machine object created, but
not installed), it will use the configuration stored in that object. If no placeholder
exists, the machine will obtain its configuration from the machine group that the install
set was created for.
If the machine name is already used in the directory, and the existing machine is not a
“placeholder”, the new machine will append a four digit number to the end of its name
and install. For example, where a machine called “JSMACHINE” already exists, an
object “JSMACHINE0001” will be created.
NOTE: By editing the file scm.ini on the client before Endpoint Encryption is activated (i.e. after setup,
but before the first reboot) the group can be changed.
Offline Installs If the machine is expected to be disconnected from the Endpoint Encryption Server
during the install, an "offline" install set can be created. In this case a "transport
directory" containing the necessary objects and configuration data will be included in
the deploy set. After local configuration, the transport directory will need to be re-
imported into the master directory before the machine can be recovered.
Selecting an Offline install mode allows the additional choice to include the "individual
objects" in the transport directory. If they are included, then all users and machines in
the set will be deployed with the transport directory (and therefore will be available
immediately, even before the machine connects back to the master directory). If they
are not included, then there will be no login prompt until the machine has performed
its first connection and brought down its user list.
NOTE: Until the transport directory containing the machine’s completed configuration is imported back
into the master directory, no connection or configuration of the client can be performed. Also, in the case
where the offline install set was created from a group, it will not be possible to recover the machine until it
has successfully synchronized with its master database. In the case where the offline install set was created
for an individual machine, or in the case of users, synchronization is not necessary for the machine to be
recovered.
Creating an Install Package
| 51
Importing a Transport Directory The Transport directory is a file called sbxferdb.sdb, and can be found in the
directory the Endpoint Encryption client is installed into. To import the details in this
directory back into the master, select the machine group you want to contain the
entries, and use the Import Machines right-click option. This brings the keys and
configuration from the machine into the master database, giving the ability to
synchronize with, reconfigure, and recover the machine.
Summary of Offline Install set contents
Machine Group Sets
An Install set created from a machine group can contain the following items:
• The Machine Group object.
• User objects assigned to the group, and user objects assigned to machines in
that group.
If the group contains machines, the following items are included in the set:
• Individual Machine objects (live or placeholder).
• User objects assigned to the individual machines.
Individual Machine Sets
The following items are included:
• The machine object.
• Users assigned to that machine.
Creating an Install Package
52 |
Select the Master Directory
Figure 19. Selecting the Master Object Directory
Step 3 involves selecting the final Object Directory that the new client will
communicate with to synchronize configuration details. The default is the directory
that the administrator is currently using, but could be any directory the administrator
has access to. Usually the clients will access the Object Directory via a Endpoint
Encryption server, rather than locally.
Connections via a Endpoint Encryption Server have the category type called Remote.
You can specify multiple connection points for machines, if you have more than one
server defined.
You can also change the order that the client will look for servers, and enable
automatic random selection of servers by using the wizard.
NOTE: For information on setting up a Endpoint Encryption Server, see the Endpoint Encryption Manager
Guide.
Creating an Install Package
| 53
Set install options and create the set
Figure 20. Saving the Install Set
In Step 4, you specified the location the completed install file will be saved to; also,
the directory on the client you wish Endpoint Encryption to be installed into.
Two options for the "visibility" of the set-up process can be set. Silent installs, for
example, do not give the user any visible display of the install process and are used in
automatic deployment environments, such as Microsoft SMS.
After the install file has been run on a client machine, it needs to be restarted before
Endpoint Encryption can be activated. An automatic restart option is included,
however, be aware if ”perform installation silently” and “automatically restart
machine” are enabled, the machine will restart with no user intervention - this may
cause users to lose work, for example, if they have open documents when this
process occurs.
Installing, Upgrading, and Removing Endpoint Encryption for PC
54 |
Installing, Upgrading, and Removing Endpoint Encryption for PC
Running an “Install Package” created by the Endpoint Encryption administrator on the
target machine enables and installs Endpoint Encryption for PC.
For information on creating install packages see the Creating an Install Package
chapter.
Offline Package Installs Create the install file as per the Creating an Install Package chapter; selecting Offline
install, and including the users and machines required. Run the package on the target
client and let it reboot.
Once restarted, you must retrieve the file sbxferdb.sdb which needs to be imported
back into the master directory. For information on this procedure see the Creating an
Install Package chapter.
Once the transport directory has been imported into the master database; if there is a
network connection between the client and a Endpoint Encryption Server, you will be
able to remotely manage the machine. If you do not retrieve the transport directory,
then you will not be able to recover or reconfigure the machine.
If your machines are unable to connect to the master database after install, for
example, and you are working in a permanently disconnected environment, you may
want to retrieve the .sdb file AFTER encryption has finished – the status of encryption
will then be properly reflected in the master database. In the case of machines which
connect to the master database after offline install, this property will be automatically
updated during the sync process.
Online Package Installs Create an Online install package as per the Creating an Install Package chapter.
Simply run this file on the target machine(s). Once they have installed and rebooted,
they will contact one of the Endpoint Encryption Servers specified and create their
directory entries.
Removing / Uninstalling Endpoint Encryption Client You can specify four modes of operation for Endpoint Encryption in the machine’s
General properties page. For full details of these modes per the General section.
Installing, Upgrading, and Removing Endpoint Encryption for PC
| 55
To disable Endpoint Encryption, i.e. put it into a mode where it is applying no
protection but can be easily re-enabled, set the machine status to Disable. You can
then at a future time set the status to Enable and Endpoint Encryption will re-apply
the protection specified.
To completely remove Endpoint Encryption, select either Remove or Remove and
Reboot – Endpoint Encryption Client will perform the action after the next
synchronization event.
Upgrading Endpoint Encryption from previous versions. Where 5.x is mentioned, version Endpoint Encryption 5.1 and above should be
assumed.
Upgrading Endpoint Encryption 4.2 Clients to 5.x
Please see the Endpoint Encryption Update and Migration Guide.
Upgrading existing 5.x clients to a later service pack or patch version
To upgrade between service pack or patch levels, for example, from v5.0 to v5.1 you
can create a new file set in the Endpoint Encryption Object Directory.
1. Update your database and administration system as described in chapter 8 of
the Endpoint Encryption Manager Administration Guide.
2. Create a new file group for the new 5.x files.
3. You have to set the File Group Properties to Client files to have it available
under the Files section in the machine properties. Therefore right-click the file
group, choose Properties Content and check the Client Files box. In
case of new language file groups you need to check client files and language
as properties.
4. Right-click the new group and select Import File Set. Select the file
SBClientFileSet.ini from the administration system directory (usually
c:\program files\sbadmin).
5. Deselect the Endpoint Encryption 5.x Client Files file set from the
machines you wish to upgrade, and select Endpoint Encryption 5.1x Client
Files instead. During the next synchronization, the machine will download the
latest files and code and apply the upgrade.
WARNING: The deselection of all old Endpoint Encryption file groups and the selection of all new
Endpoint Encryption file groups MUST be done at the same time, e.g. if you deselect the Endpoint
Installing, Upgrading, and Removing Endpoint Encryption for PC
56 |
Encryption 4.x Client Files and the English (British) KB/Language file group without selecting the new
Endpoint Encryption 5.x Client File groups then you risk corrupting your client.
If you have other options selected, such as the File Encryptor, or Token modules, be
sure to also deselect the v4 modules, and select the appropriate 5.x versions of these
as well.
6. For each machine you want to upgrade, deselect the machines current client
file set, and select the new 5.x file set you created in step 2.
Removing Endpoint Encryption 5.x from a machine
1. Set Endpoint Encryption to either Remove or Remove and Reboot from the
machines General properties. The next time the machine synchronizes with
the database it will remove all encryption and authentication; it will then
uninstall the Endpoint Encryption program files. If you simply want to disable
the Endpoint Encryption protection, set the Client to Disable instead.
If the machine is unable to synchronize, perhaps because of a network or Windows
issue, you can still remove Endpoint Encryption by performing an emergency SafeTech
removal followed by the Sbsetup –Uninstall command from the Endpoint
Encryption program files directory.
2. Set Endpoint Encryption to either Remove or Remove and Reboot from the
machines General properties. The next time the machine synchronizes with
the database, it will remove all encryption and authentication,
3. Now, uninstall the Endpoint Encryption program files. If you simply want to
disable the Endpoint Encryption protection, set the Client to Disable instead.
If the machine is unable to synchronize, perhaps because of a network or Windows
issue, you can still remove Endpoint Encryption by performing an emergency SafeTech
removal, followed by the Sbsetup –Uninstall command from the Endpoint
Encryption program files directory.
Client Software
| 57
Client Software The Endpoint Encryption Client connects to its Object Directory, or configuration store,
which may be on the same machine, a network drive, or, via the Endpoint Encryption
Server. It does this every time the machine boots and optionally at set time intervals
or when a RAS session is initiated.
Once connected to the directory, the Endpoint Encryption client uploads the latest
audit and password changes to the directory, and if necessary downloads any
configuration changes specified centrally.
The Tool Tray Icon The only user-visible part of Endpoint Encryption is the “Endpoint Encryption Monitor”
icon in the user’s tool-tray. By double-clicking the icon users can start the system
screen saver (which may be protected by Endpoint Encryption). By right-clicking it
they can select one of four actions.
Activate Screen Saver
The default action when the Endpoint Encryption tray icon is clicked is to bring up a
password protected screen saver.
Show Status
The configuration process within Endpoint Encryption is largely transparent to the
user. The only evidence of Endpoint Encryption working can be found from the status
menu available from Endpoint Encryption's tool tray icon
Figure 21. Endpoint Encryption Client Status Window
The Status window displays any on-going configuration tasks (such as encryption
processes) and status messages from the last directory connection.
Client Software
58 |
Synchronize
Endpoint Encryption tries to establish connection with its directory during the boot
process. In a situation where the directory is unavailable, for example - a notebook
user who is connecting via dial-up networking, the user can establish a connection at
any time, and select the Synchronize option to connect to a remote directory and
collect / upload changes.
For details of the supported functions within the Endpoint Encryption client, please see
the User and Machine configuration sections in the Endpoint Encryption Manager
Administration Guide, and also this guide.
Client Auditing User events are audited locally and then transferred to the Object Directory as part of
the synchronization process. For more information on the events tracked see the
chapter on Auditing.
Boot and Logon Process The Endpoint Encryption for PC boot screen allows the user to select a login method
(one of the available tokens), and then provide authentication credentials such as a
user id and password. If the user can provide the correct details, the Endpoint
Encryption boot code starts the transparent hard drive decryption process, loads the
original MBR and executes it.
When the operating system starts, the Endpoint Encryption Configuration Manager
(SCM) runs and performs a logon to the operating system (if SSO is enabled). It then
attempts to contact the Object Directory using the Directory Manager - this can be
local or remote via a Endpoint Encryption Server and re-validates the user against any
changes that have been made between the last validation. Following this SCM
downloads and applies any configuration updates. This could include new user
accounts.
If the Object Directory validation is successful (i.e. no administrator has deleted or
disabled the users account) the Windows startup completes, and the Endpoint
Encryption icon is loaded into the tool tray to allow the user to run the screen saver,
validate with the server, display status etc.
After a period of inactivity or a power event, SCM activates the screen saver locking
the user.
If the user logs out of the operating system, they may be required to authenticate to
Endpoint Encryption when they log back into windows.
Client Software
| 59
Endpoint Encryption Screen Saver The Endpoint Encryption for PC Client includes a simple logo screen saver. You can use
any screen saver written to the Microsoft Screen Saver standards on the system,
Endpoint Encryption will still protect the logon of them using the standard Endpoint
Encryption logon window.
NOTE: You can change the logo displayed in the screen saver by adding a file called “logo.bmp” to the
Windows directory. You can also deploy logo.bmp using the File Update technology built into Endpoint
Encryption. You may find extra graphics on your Endpoint Encryption CD in the “tools” directory.
Users can start the screen saver through any of the normal Windows mechanisms, or
by double-clicking on the Endpoint Encryption tool tray icon.
Windows Sign-On and Logon Mechanisms. Endpoint Encryption includes many options to reduce the numbers of passwords users
have to remember. These options are used to ensure that when the user changes their
Windows password, their Endpoint Encryption password is changed to the same. This
happens without user interaction.
Changing the Password The Endpoint Encryption for PC password can only be changed in the pre-boot
environment. To change the password:
1. Restart the PC.
2. Enter the current user ID and password in the login dialog.
3. Tick the change box, and click OK.
4. Follow the on-screen prompts to change the password.
Section 508: Logon Accessibility US legislation 508 requires that information technology is accessible to people with
disabilities. To comply with 508 the pre-boot logon needs to be accessible by blind or
partially sighted people.
There are a limited range of sounds which enable access to the basic logon. Other
options, e.g. About and Recovery screens are not accessible.
As the user tabs (or shitf-tabs) between controls, the pre-boot will emit various beep
sequences to indicate where they are. Other beep sequences will be used when an
error is displayed, when password timeouts are displayed and when a logon is
successful.
Client Software
60 |
The sequences are:
User name field: beep
Password field: beep-beep
Change password checkbox: beep-pause-beep
OK button: beep-pause-beep-beep
Cancel button: beep-pause-beep-beep-beep
Token selection list: beep-beep-beep-beep
Error: beep-pause-beep-beep-pause-beep
Password timeout: beep-beep-beep-beep-beep
Logon successful: beep-beep-beep
Windows Sign-on and SSO
| 61
Windows Sign-on and SSO Endpoint Encryption can ease the logon process for users by doing the Windows logon
for them, as well as taking responsibility for screen saver logons and re-logon
requests. The features available can be configured by clicking on the “General” icon of
a machine or machine group object.
Windows Logon Features Require Endpoint Encryption Logon – Endpoint Encryption takes control of the
normal windows logon screen, and screen saver logon. Users will be prompted for
their Endpoint Encryption credentials rather than their Windows Credentials.
Attempt automatic Windows Logon – Endpoint Encryption tracks the users
Windows id, password and domain, and presents these automatically to windows logon
boxes. This mechanism means once the user has authenticated to Endpoint Encryption
at the boot screen, they do not need to enter any more passwords for Windows.
If the user’s Windows id and password are different from their Endpoint Encryption id
and password, Endpoint Encryption stores the windows credentials the first time they
are used. It may take two boots before the single sign on becomes active.
Require Endpoint Encryption re-logon – If the user loges out of Windows,
Endpoint Encryption will control the login box for the next login.
Automatically logon as boot user – If there are no stored Windows credentials for
the user, Endpoint Encryption tries to login to Windows with the user’s Endpoint
Encryption credentials.
Endpoint Encryption logon component always active – If selected, the Endpoint
Encryption login component is kept active on the machine even if all the other options
are disabled. This means that it can be reactivated mid-session during synchronization
with the Object Directory. If all options are deactivated, the Endpoint Encryption logon
component can only be reactivated after a reboot.
Set Endpoint Encryption Password to Windows Password – If the Windows and
Endpoint Encryption login passwords differ, Users will be prompted to set the Endpoint
Encryption password to the Windows password. This option also captures the Windows
Change Password event, and again, sets the users Endpoint Encryption password to
match.
If you are using this option, it is important to ensure that the password template and
quality rules in Endpoint Encryption are identical, or more lenient than those in
Windows Sign-on and SSO
62 |
Windows, otherwise a failed password change may occur and the user will be reset to
“12345”.
Must Match Windows User Name – This option ensures the SSO details are only
captured in the situation that the user’s Endpoint Encryption and Windows IDs match.
If they are different, no SSO details will be stored.
How Windows Logon works Endpoint Encryption intercepts the Windows Logon mechanism, using a “Pass through
Shim Gina” on Windows NT, 2000 and XP, and a Credential Provider on Vista. On
Windows 2000, and XP operating systems a custom .ini file (SBGINA.INI) is used to
help Endpoint Encryption analyze the logon screen and paste the credentials into the
correct boxes on screen.
In Windows VISTA Microsoft has replaced the original MSGINA (Graphical Identification
and Authentication) with a new method called Microsoft Credential Provider. Endpoint
Encryption has modified the Single Sign On architecture and implemented a Credential
Provider to communicate with Windows. We display each of the Endpoint Encryption
Tokens as a potential logon method. If you logon to Endpoint Encryption, you will be
asked for your Windows credentials only for the first time and Endpoint Encryption will
store the Windows Credentials securely within Endpoint Encryption. On subsequent
logon events, Endpoint Encryption will use the stored Windows credentials to logon.
You can find out more about Microsoft Vista Credential Providers from the Microsoft
MSDN Website:
8http://msdn.microsoft.com/msdnmag/issues/07/01/CredentialProviders/default.aspx
For more information on Endpoint Encryption ini files, see the Endpoint Encryption
Configuration Files chapter of this guide. Also, see the Endpoint Encryption
Configuration Files chapter of this guide SBGina.ini if you wish to enable smartcard
based Single-Sign-On to Microsoft. Note: this feature is not supported under Vista.
First Boot
The first time a user starts their newly Endpoint Encryption protected machine,
Endpoint Encryption authenticates them at boot time. If successful, the operating
system starts.
Normally they would next presented with a Windows logon – if the Endpoint
Encryption Windows Logon architecture is fully activated, Endpoint Encryption will
automatically present the user’s stored SSO id and password to windows. If these
details are accepted, Endpoint Encryption stores a record of these credentials in a
special encrypted area of the user’s profile. If Windows fails the SSO credentials, for
Windows Sign-on and SSO
| 63
example, if they have not been set, Windows displays the standard login box and the
user is forced to enter their Windows id and password.
Again, once a valid login has taken place, Endpoint Encryption stores the correct
credentials in the user’s encrypted profile, which are uploaded to the central Object
Directory on the next synchronization.
Second Boot
The second and subsequent times the user starts the machine, they login to the
Endpoint Encryption boot screen, then Endpoint Encryption supplies the stored
Windows credentials to the Windows login box.
Failed Windows Password
If/When the Windows Logon credentials become invalid, for instance if the user
changes their windows password on another system, or has it reset by an
administrator, the automatic login will fail and the standard Windows login box will
appear. Once again, once a successful login has occurred, the correct details are
stored encrypted in the user profile and uploaded on synchronization with the central
Object Directory.
Re Logon
If a user chooses to “log off” windows, they would normally expect to see the standard
Windows logon box. Endpoint Encryption takes control of this in the same way as the
initial logon screen, forcing the next user to login with their Endpoint Encryption
credentials.
If you want to logon to Windows using a different account than your stored
credentials, they simply cancel the default login window, then clear the “Automatically
logon to Windows” box.
Once cleared, simply select the token you want to login with.
Setting and Changing a users SSO details
You can pre-set or change the SSO details associated with a user by right-clicking
their object and selecting “Set SSO Details”.
Auditing
64 |
Auditing Introduction Endpoint Encryption Endpoint Encryption for PC audits user, machine, and server
activity. By right-clicking on an object in the Endpoint Encryption Object Directory, you
can select the view audit function.
Audit trails are uploaded to the central directory each time a machine synchronizes.
Until that time the audit is cached internally in the encrypted Endpoint Encryption file
system. In SB4.1.1 and above, the last 3000 entries are cached locally; when the
limit is reached the oldest 300 entries are culled. The local audit will retain
approximately 2 years of normal operation before culling begins.
The permission to view or clear an audit log can be controlled on a user or group
basis. Both the administration level and administration function rights are checked
before allowing access to a log. For more information on setting these permissions see
the 12chapter.
Audit trails can be exported to a CDF file by using the “Audit” menu option, or by
right-clicking the trail and selecting “Export”. Also, the entire audit of the directory can
be exported using the “SBAdmCL” tool. For information on this option please contact
your Endpoint Encryption representative.
The Object Directory audit logs are open-ended, i.e. they continue to grow indefinitely,
but can be cleared on mass again using SBAdmCL.
Common Audit Events The text displayed in the audit log will depend on your localization and language
settings. The following table lists the common events and their ID codes for the
American English version of Endpoint Encryption. Many events can appear at multiple
places, for example the “Login Successful” event will be logged both in the user
account doing the login, and the machine being logged into simultaneously.
Information Events Description Event
Audit cleared 01000000
Boot started 01000001
Boot complete 01000002
Auditing
| 65
Description Event
Booted non‐secure 01000003
Backwards Date Change 01000005
Booted from floppy 01000004
Token battery low 01000010
Power fail 01000011
A virus was detected 01000013
Synchronization Event 01000014
Crypt Start 01000015
Crypt End 01000016
Add group 01000082
Add object 01000083
Delete group 01000084
Delete object 01000085
Import object 01000086
Export object 01000087
Export configuration 01000088
Update object 01000089
Import file set 01000090
Create token 01000091
Reset token 01000092
Export key 01000093
Recover 01000094
Create database 01000095
Auditing
66 |
Description Event
Reboot machine 01000096
Move Object between groups 01000098
Rename Object 01000099
Server started 010000C0
Server stopped 010000C1
Table 1. Information Audit Events
Try Events Description Event
Logon attempt 02000001
Change password 02000002
Forced password change 02000003
Recovery started 02000016
Database logon attempt 02000081
Logon successful 04000001
Password changed successfully 04000002
Boot once recovery 04000016
Password reset 04000017
Password timeout 04000018
Lockout recovery 04000018
Change token recovery 04000019
Screen saver recovery 0400001A
Database logon successful 04000081
Logon failed 08000001
Password change failed 08000002
Auditing
| 67
Description Event
Password invalidated 08000005
Recovery failed 08000017
Database logon failed 08000081
Machine configuration expired Undefined
A virus was detected Undefined
Table 2. Try Audit Events
Succeed Events Description Event
Logon successful 04000001
Password changed successfully 04000002
Boot once recovery 04000016
Password reset 04000017
Password timeout 04000018
Lockout recovery 04000018
Change token recovery 04000019
Screen saver recovery 0400001A
Database logon successful 04000081
Table 3. Succeed Audit Events
Failure Events Description Event
Logon failed 08000001
Password change failed 08000002
Password invalidated (too many incorrect attempts)
08000005
Auditing
68 |
Description Event
Machine configuration expired 08000012
Recovery failed 08000017
Database logon failed 08000081
Table 4. Failure Audit Events
Recovering Users and Machines
| 69
Recovering Users and Machines You can recover users using the Endpoint Encryption Manager, WebHelpdesk, or the
procedure documented below. For information on recovery via the Endpoint Encryption
Center WebRecovery and WebHelpdesk options, please see the Endpoint Encryption
Manager Administration Guide.
Warning: Recovery cannot be used for resetting or changing the pin codes of smart cards.
Offline Recovery Resetting a remote user’s password or replacing their logon token if it has been lost
requires a challenge/response procedure to be followed. The user starts their machine,
cancels any logon dialogues that may appear; they must then click Options in the
bottom left-hand part of the screen followed by the Recovery option from the menu.
This process can be used at the boot screen, windows logon, or screen saver logon.
Figure 22. The user selects Machine Recovery or User Recovery
After (optionally) entering their user name, a set of codes is displayed on the user’s
screen. The user needs to telephone their helpdesk and read the codes to the
administrator. The user code is time based, and unique to the user and machine.
Recovering Users and Machines
70 |
Figure 23. Starting the recovery process
The administrator must log into the Endpoint Encryption Manager and select any
machine group. This will activate the Recovery button options on the toolbar and the
top menu. The administration should then click the Recovery button. Note: there is no
need to find the correct user beforehand.
The administrator will be prompted to enter the user code in the wizard, and if correct
will be given the opportunity to check the user’s profile if the administrator has
sufficient access rights to recover the user (based on their level and group
memberships). The administrator should use this opportunity to validate the user by
asking them questions based on the hidden information stored in their account. Only if
successful should the helpdesk actually allow the user’s password to be reset.
If the administrator is happy that the user on the telephone is legitimate, they can
proceed with the next step in recovery.
Recovering Users and Machines
| 71
Figure 24. Selecting the recovery option
The administrator selects the option they want to perform. If a user name was entered
a user recovery proceeds, if no user name was entered, then a machine recovery can
be performed.
Boot Once - The machine boots with no user logged in.
Unlock Screen Saver – The screen saver is cleared.
Reset the user’s password – The user’s password is reset to the token default. The
user can then change this to a new password – This option will not function if the user
is disabled due to too many invalid passwords – to resolve this issue see “Change
Token”.
NOTE: Some tokens do not support password resets through Endpoint Encryption, examples of this include
the DataKey Smartcard, RSA Smartcard, and Aladdin eToken Pro. For information on how to reset the
password on these devices contact the appropriate manufacturer.
To recover an Endpoint Encryption user who has forgotten their password in this case, either issue them
with a new token, or temporarily switch them to use a password using the “Change Token” recovery option.
Unlock a disabled user – If a user account is marked as disabled in the object
database, it can be temporarily activated using this option. When the machine
synchronizes with the Object Directory, the account will be re-disabled if their security
profile in the Directory still indicates this.
Create Token – If supported by the token, this option allows administrators to
remotely create a new token for the user to replace a lost one. The Endpoint
Encryption Password login always supports remote recreation. For further information
on other tokens see the Using Tokens with Endpoint Encryption for PC.
Recovering Users and Machines
72 |
Change the user’s token to – Changes or resets the user’s token to the one
specified. The administrator needs to have pre-generated the token for the user. If a
user has invalidated their password account through too many invalid attempts,
changing their token to “password only” recreates their “soft token” and allows them
to enter the default password again.
WARNING: If you change a user’s token using this method, remember that next time their machine
synchronizes with the Endpoint Encryption directory, their token will be set to whatever is specified in their
user properties stored currently in the database. If you want the change to be permanent remember to set
their token type in the user properties window.
Figure 25. User’s recovery code
The final step is to read the recovery code back to the user. The length of this code is
controlled by their token recovery key set in the user’s “token” properties, or in the
case of a machine, the recovery key set in the encryption properties.
The user simply enters the code line by line into the pre-boot dialog. Each line is check
summed. Once the code has been entered, the elected action will occur.
Local Recovery The Local Recovery option allows the user to reset a forgotten password by answering
a set of security questions.
The full list of security questions is set by the administrator using the Endpoint
Encryption Manager. Note: Endpoint Encryption contains a generic set of questions.
When the user first sets up their local recovery feature they will be prompted to select
a number of questions and provide the answers to them. These form the basis for
their local self recovery feature.
Recovering Users and Machines
| 73
Setting Local Recovery for a user name or user group
Using Endpoint Encryption Manager, the administrator assigns the local recovery
option to the user’s logon, or, to a user group. The local recovery options are available
from the user logon or group Properties screen. See below.
Figure 26 ‐ Setting the Local Recovery options
Enable Local Recovery
Selecting this check box will set Local Recovery for the specified user or user group.
Require ? questions to be answered
This option determines how many questions the user must select to perform a Local
Recovery.
Allow ? logons before forcing user to set answers
This option determines how many times a user can logon without setting their Local
Recovery questions and answers.
Add
The Add button will load the Local Self Recovery Question dialog box and allow you
to create a new question. You can also specify the language that question should be in
and the minimum number of characters the user must specify when configuring the
answer to this question.
Remove
The Remove button will remove a selected question from the list.
Recovering Users and Machines
74 |
Edit
The Edit button will allow you to edit the configuration of a selected question.
Apply
The Apply button will save any changes that have been made.
Restore
The Restore button will undo your changes and restore the Local Recovery options to
the previous settings (providing you have not clicked the Apply button).
User Local Recovery Procedures
Configuring your Local Recovery Questions
The Local Recovery option allows the user to reset a forgotten password by answering
a set of security questions. The user must configure these questions, i.e. provide the
answers to a selected set of questions. In the event that the user forgets their
password they can run a local self recovery to gain access to their machine.
When the user logs on, they will be prompted to specify a set of questions and
answers; this exercise is performed once only.
1. Enter your username and password at the logon screen.
2. From the Local Recovery Enrollment screen, select a question from the
drop down list.
3. Enter the answer to the question into the Answer box.
4. Click Next.
5. Repeat this process until you have answered all the questions. Note: the
Endpoint Encryption administrator will determine how many questions you
need to answer.
6. When you have answered all the questions click the Finish button. Local
Recovery is now set.
Performing a Local Recovery
These are the steps the client user must follow to perform a local self recovery.
1. At the preboot screen, cancel the Endpoint Encryption Logon.
2. Click the Options button on the preboot screen.
3. Click Recovery from the menu followed by Local Recovery.
4. Enter your username into the User name field and click Next.
Recovering Users and Machines
| 75
5. Enter the answer to each question in turn, clicking the Next button to move
forward.
6. Enter a new password and confirm it.
7. Click the OK button to complete the process.
8. Select the Password Only Token option from the preboot screen.
9. Enter your username and new password to logon.
Online Recovery If a user’s machine is online when they forget their password or lose their token,
simply create a new token for them in the Endpoint Encryption directory, and force
sync their machine to make the appropriate change.
You can reset a user’s password by simply generating a new password token for them.
Trusted Applications
76 |
Trusted Applications Endpoint Encryption’s client has the capability to restrict which applications and code
users will be allowed to run. Using this mechanism, you can restrict access for a few
users to certain applications, or, prevent users running any applications that are not
pre-defined.
With this system you can apply untrusted control, for example, to prevent access to
pre-defined tools such as “regedit.exe” for all but administrators. With untrusted
control, unknown applications are allowed to run - known applications are blocked.
You can also apply trusted control where ONLY pre-defined code can run, and
unknown control is blocked. This is useful, for example, when you want to restrict an
entire build image so it becomes impossible for users to run any application other than
the ones distributed in the “gold build”.
Endpoint Encryption application control takes effect once a user has logged into
Windows – it does not affect code run in the context of booting the operating system.
To prevent applications and code being run at this stage Endpoint Encryption
recommends appropriate operating system security settings be used, for example,
disallowing device driver updates etc.
Hash Sets The first step in applying application control to Endpoint Encryption users is to create
sets of “hashes” for the code modules using the Endpoint Encryption Hash Generator
(see the Hash Generator chapter).
A hash set contains a unique digital signature for each file in the scope of the set. This
digital signature is unique to the file – no two files will ever have the same signature.
When Endpoint Encryption applies control to applications, it calculates the “hash” of
the code (.exe file, .dll etc) that the user is trying to run, and compares it to the list of
hashes applied to the user. The actual location of the code does not matter, only its
content - so, if a user moves a restricted application to another directory, it will still be
blocked.
After creating a hash set for the files or directories containing the sample code
modules you can create an “Endpoint Encryption Hashes Group” in the Endpoint
Encryption database to contain them. Within the group, create new hashes objects to
contain your hash sets created previously.
Trusted Applications
| 77
Figure 27. Hash Group
Hash Set Properties
General
Hash Count
Displays the number of file hashes stored in this object. You can remove duplicates
using the File Hashes/Compact function.
Description
A text description of this hash set – for example its source.
File Hashes Import
Allows you to import one or many hash sets created with the Endpoint Encryption
Hash Generator into this hash object.
Export
Saves the contents of this hash object as a hash set.
Compact
Removes duplicate entries from this hash object – As Endpoint Encryption Application
Control is driven by the hash (or digital signature) of a file, not its location, only one
entry per file is required.
Remove
The option removes a single file entry from this hash object.
WARNING: You can add entries only by importing hash files.
Trusted Applications
78 |
Using Hash Sets After creating hash sets, you can assign both hash objects, and hash groups to users
through their “application control” properties.
You can specify one of two modes of application control – “Untrusted” and “Trusted”:-
Untrusted
In the case of untrusted control, if the hash is known then the code is prevented from
running.
Trusted
In the case of trusted control, if the code is know it is allowed to run, whereas all
unknown code is blocked.
These options can be summarized in the following table:
Known Applications Unknown Applications
Untrusted Application Control
Optionally Blocked Allowed
Trusted Application Control
Allowed Optionally Blocked
Table 5. Trusted Application Logic
You can also set whether to actually block the untrusted code, or to simply log it for
future analysis – this option (log with no blocking) is useful when debugging hash sets
which do not block appropriately.
Hash Generator
| 79
Hash Generator Introduction Endpoint Encryption Hash Generator creates “Hash Sets” for use with the application
control feature of Endpoint Encryption. For more information on application control,
see the Using Hash Sets section.
The generator creates MD5 hashes of the selected files and packages them into an
Endpoint Encryption hash set (HSH file).
Using Hash Generator Open the Hash Generator by selecting Start McAfee Endpoint Encryption
Manager Endpoint Encryption File Hash Generator.
After selecting the output file name, add the files (or folders) you want to include in
the hash set. Finally, select Hash – the specified HSH file will be generated.
The progress window shows the activity. Once completed, you can import the resultant
hash set into your Endpoint Encryption directory.
Common Criteria EAL4 Mode Operation
80 |
Common Criteria EAL4 Mode Operation
CESG in the United Kingdom, has certified the following products to the standard
EAL4:
• Endpoint Encryption for PC Client
To apply this standard to your implementation of Endpoint Encryption, you need to
ensure the following criteria are met:
Administrator Guidance
• Endpoint Encryption must be installed using the Endpoint Encryption AES
(FIPS) 256bit algorithm.
• Administrators must enforce the following Policy Settings
- A minimum password length of 5 characters or more
- Disabling of accounts after 10 or less invalid password attempts
- All data and operating system partitions on the machines where
Endpoint Encryption client has been installed MUST be fully encrypted.
You can check the conformance to this issue by viewing the Endpoint
Encryption client status window – if any drives are highlighted in red
then they are not fully encrypted.
- Administrators must enforce use of the Endpoint Encryption Secure
Screen Saver Mode
- Use of “Autoboot Mode” is prohibited
- Machine and User recovery key sizes must be non-zero
(Machine/Encryption properties and User/Token properties)
To comply with CC regulations, these policy settings must be applied before installing
any clients.
• There must be a system in place for maintaining secure backups that are
separately encrypted or physically protected to ensure data security is not
compromised through theft of, or unauthorized access to, backup information.
• Backups should be regular and complete to enable system recovery. This is
essential in the event of loss or damage to data as a result of the actions of a
threat agent and to avoid vulnerability through being forced to use less secure
systems.
Common Criteria EAL4 Mode Operation
| 81
• Users (including administrators) must protect all access credentials, such as
passwords or other authentication information in a manner that maintains IT
security objectives.
• Customers implementing a Endpoint Encryption enterprise must ensure that
they have in place a database of authorized TOE-users along with user-specific
authentication data for the purpose of enabling administrative personnel to
verify the identity of a user over a voice-only telephone line before providing
them with support or initiating recovery. Endpoint Encryption provides the
means to display personal information such as the users ID number as part of
the “User Information Fields” – but any other appropriate system is
acceptable.
• Administrators should ensure their users are fully trained in the use of the
Endpoint Encryption for PC Client software as described in the Client Software
chapter of this guide, and should remind them of the security procedures
detailed in the User Guidance Below.
User Guidance
• Users must maintain the confidentiality of their logon credentials, such as
passwords and tokens.
• Users must not leave a Endpoint Encryption protected PC unattended in a
logged on state, unless it is protected by the secure screen saver.
• Users must be informed of the process that they need to go through to contact
their administrator in the event that they need to recover their PC, if, for
example, they forget their password, or, their user account becomes disabled;
this could be through the actions of the administrator or repeated incorrect
login attempts.
Common Criteria EAL4 Certificate
You can find the official recognition of this certification on CESG’s website:
http://www.cesg.gov.uk/products_services/iacs/cc_and_itsec/media/certreps/
CRP227.pdf
Algorithm Certificate Numbers
AES
Cert 21 and 170 ECB(e/d; 256); CBC(e/d; 256); CFB8(e/d; 256)
1http://csrc.nist.gov/cryptval/aes/aesval.html
Common Criteria EAL4 Mode Operation
82 |
SHA1
Cert 71 and 254
1http://csrc.nist.gov/cryptval/shs/shaval.htm
DSA/DSS
DSS cert 53 and 112 Sig(ver) Mod(all)
1http://csrc.nist.gov/cryptval/dss/dsaval.htm
RNG
Cert 15 AES, DSA., SHA, RNG on AMD Athalon XP, Windows XP SP1, PentiumIII
Windows 2000
1http://csrc.nist.gov/cryptval/rng/rngval.html
DES
Cert 145 CBC(e/d); CFB( 8 bits;e/d)
http://csrc.nist.gov/cryptval/des/desval.html
Endpoint Encryption Configuration Files
| 83
Endpoint Encryption Configuration Files
Endpoint Encryption uses many .ini files to maintain information about the
configuration of various components. Some of the more important files are listed here.
sbgina.ini Used by the Endpoint Encryption for PC client to control the Windows logon
mechanism. SBGina.ini contains the references used to populate the user id, password
and domain boxes of a login dialog, and also the id of the Ok button.
The Trace option is an aid to implementing SSO to further dialogs. If this option is set
to "Yes", then information about every window that is created during the logon
process is output to the defined trace file.
If you want to activate smart card based single sign on with the possibility to pass
through the smart card PIN to Windows you will need to add the [Smartcard] section
as specified in the example below:
[Global] ;Version 5110 ; ; This option is an aid to implementing SSO to further dialogs. If this option ; is set to "Yes", then information about every window that is created when ; a logon dialog is expected is saved to the file specified (or "LOGONWND.TXT" ; if not supplied). Note the file will always be in the SafeBoot directory. ; Trace.LogonWindowInfo=No Trace.FileName=LOGONWND.TXT ; ; This is an option (NT only) that controls the behaviour of SafeBoot's Gina ; when unlocking a locked workstation. The possible values are ; ; SbOnly = only a SafeBoot logon is used (the default) ; ; SbWindowsSso = a SafeBoot logon is required then SSO is atempted ; to the original Gina. ; ;Option.UnlockWorkstationMode=SbOnly ; ; This options (NT only) controls the ability of the user to cancel the ; Windows SSO attempt from the SafeBoot logon dialog. Possible values are ; ; Yes - Allows the user to cancel the SSO attempt (the default) ;
Endpoint Encryption Configuration Files
84 |
; No - Prevents the user from cancelling the SSO attempt ; ;Option.AllowSsoCancel=Yes ; ; These options control how the user names are treated when they are compared. ; The UPN (User Principal Name) format is of the form [email protected]. To ; successfully compare the user names, the format needs to be the same for ; both the Windows and SafeBoot names. ; ; Note that Windows will always supply the user name to the SafeBoot Gina ; module as a user name and domain name (i.e. not DNS name). ; ; If the DetectUPN option is set to "Yes", then SafeBoot will attempt if the ; user names are in UPN format by looking for an "@" character. If this is ; set to any other value, SafeBoot will not manipulate the user names in any ; way. ; ; Examples:- ; ; SB user name = "[email protected]" ; Windows user name = "user" ; Windows domain = "domain" ; ; Comparision will be between SB="user" and Win="user". ; ; SB user name = "user" ; Windows user name = "[email protected]" ; Windows domain = "domain" ; ; Comparision will be between SB="user" and Win="user". ; ; SB user name = "[email protected]" ; Windows user name = "[email protected]" ; Windows domain = "domain" ; ; Comparision will be between SB="user" and Win="user". ; ;Option.Username.DetectUPN=Yes [SmartCard] ; ; This option enables looking for smart cards used for Windows logon. It ; can be either "On" or "Off". If this is set to "On", the SB Gina will ; attempt to detect the presence of a smart card and allow the user to ; choose to logon with the smart card or with the standard user name and ; password. ; ;Enabled=Off ; ; If the smart card check is enabled, then this option can be used to force ; the use of smart cards or the standard password. This can be "Off" to ; automatically determine which to use, "Pin" to force the use of a smart ; card or "Pwd" to force the use fo a smart card. ; ;Force=Off ; : This options controls the number of seconds the gina will wait for the ; user to decide which logon method to use (smart card or password). If this ; is set to a zero, then the user will not be prompted at all.
Endpoint Encryption Configuration Files
| 85
; ;TimeoutSecs=5 ; ; This option controls whether the SafeBoot SSO detsils are updated when ; the user logs on with a smart card. If this is set to "No", then the SSO ; details are not changed if the user logs on with a smart card. This will ; prevent the smart card PIN being used as to automatically logon to Windows. ; ;EnableSso=Yes ; ; If this option is set to "Yes", then if a smart card is inserted when ; a user logs off and back on again, the SafeBoot logon will not be displayed ; even if it is set to do so in the configuration. If a smart card is not ; present, then the SafeBoot logon will be displayed. ; ;DontSbRelogonIfSc=No [Windows.NT.Logon] ; ; Lists all the sections that contain information about the logon windows for ; the NT derived versions of Windows (NT4/2000/XP). ; ; The keys should be of the form "Window" with an incrementing number appended. ; The sections are checked in incrementing numerical order. The numbering ; cannot contain any gaps. ; Window1=MSGina.NT4.LogonDialog Window2=MSGina.W2K.LogonDialog Window3=MSGina.XP.LogonDialog Window4=MSGina.WIN2003.LogonDialog Window5=NWGina.NT.LogonDialog Window6=NWGinaJP.NT.LogonDialog Window7=FSSGina.XP.LogonDialog Window8=CSGina.W2K.LogonDialog Window9=CSCOGina.W2K.LogonDialog Window10=ODYGINA.W2K.LogonDialog Window11=PRM_GINA.XP.LogonDialog Window12=IPASS.XP.LogonDialog Window13=TRYIT.XP.LogonDialog [Windows.NT.Locked] ; ; Lists all the sections that contain information about the workstation locked ; logon windows for the NT derived versions of Windows (NT4/2000/XP). ; ; The keys should be of the form "Window" with an incrementing number appended. ; The sections are checked in incrementing numerical order. The numbering ; cannot contain any gaps. ; Window1=MSGina.XP.LockedDialog Window2=FSSGina.XP.LockedDialog [Windows.9x.Logon] ; ; Lists all the sections that contain information about the logon windows for ; the Windows 9x versions of Windows (95/98/ME). ;
Endpoint Encryption Configuration Files
86 |
; The keys should be of the form "Window" with an incrementing number appended. ; The sections are checked in incrementing numerical order. The numbering ; cannot contain any gaps. ; Window1=MSNP.9x.LogonDialog Window2=NWNP.9x.LogonDialog window3=NWNPJP.9x.LogonDialog ;---------------------------------------------------------------------------- ; The logon window definition sections for NT/W2K/XP ; [MSGina.NT4.LogonDialog] ; ; The operating system version to which this section applies. You can specify ; the value of "Any" for either field (which is the default if not specified). ; OS.MajorVersion=4 OS.MinorVersion=Any ; ; The original DLL to which this section applies. If the name is not ; specified or set to "Any", all original DLLs match. If any part of the ; for digit file version is set to "x", then then all values for that ; component are matched (e.g. 4.1.0.x). ; OrigDll.Name=MSGINA.DLL OrigDll.FileVersion=x.x.x.x ; ; Specifies information about the window that we can use to indentifiy it. ; For both the class and title, setting a value of "Any" will match any ; window. Starting the value with a "*" means the remainder of the value ; is treayed as a substring, and hence if it occurs anywhere in the window ; title/class it is matched. Otherwise the whole value must match (case ; insensitive). ; Window.Title=Any Window.Class=#32770 ; ; The control identifiers of controls that are used by the SSO module to ; simulate logons. ; Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=1453 Dlg.CtrlId.Password=1454 Dlg.CtrlId.Domain=1455 ; ; Optional entries which list up to 10 IDs that must come before the ID ; specified above and up to 10 IDs that must come after. The IDs are specified ; as a comma-seperated list. ; ;Option.CtrlId.OK.Preceeding=1,2,3 ;Option.CtrlId.OK.Following=5,6,7 ;Option.CtrlId.UserName.Preceeding=1,2,3 ;Option.CtrlId.UserName.Following=5,6,7
Endpoint Encryption Configuration Files
| 87
;Option.CtrlId.Password.Preceeding=1,2,3 ;Option.CtrlId.Password.Following=5,6,7 ;Option.CtrlId.Domain.Preceeding=2204,2203 ;Option.CtrlId.Domain.Following=5,6,7 ; ; If this is set to "Yes" then the user/password fields are captured from the ; dialog box rather than using the values supplied by the original gina. ; Option.CaptureFromDlg=Yes ; ; These options define how text is entered into the various fields when ; simulating a logon. Mode 0 sets the text directly into the controls, while ; mode 1 sends characters one at a time (simulating pressing keys) and mode 2 ; selects from a combo box. ; Option.EntryMode.UserName=0 Option.EntryMode.Password=0 Option.EntryMode.Domain=2 [MSGina.W2K.LogonDialog] OS.MajorVersion=5 OS.MinorVersion=0 OrigDll.Name=MSGINA.DLL Window.Title=Any Window.Class=#32770 Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=1502 Dlg.CtrlId.Password=1503 Dlg.CtrlId.Domain=1504 Option.CaptureFromDlg=No Option.EntryMode.UserName=0 Option.EntryMode.Password=0 Option.EntryMode.Domain=2 [CSCOGINA.W2K.LogonDialog] ;This section for Ciscos Gina for Windows 2000 which is the same as the standard one, but ;has a different extention. OS.MajorVersion=5 OS.MinorVersion=0 OrigDll.Name=CSCOGINA.DLL Window.Title=Any Window.Class=#32770 Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=1502 Dlg.CtrlId.Password=1503 Dlg.CtrlId.Domain=1504 Option.CaptureFromDlg=No Option.EntryMode.UserName=0 Option.EntryMode.Password=0 Option.EntryMode.Domain=2 [ODYGINA.W2K.LogonDialog] OS.MajorVersion=5 OS.MinorVersion=0 OrigDll.Name=ODYGINA.DLL Window.Title=Any Window.Class=#32770 Dlg.CtrlId.OK=1
Endpoint Encryption Configuration Files
88 |
Dlg.CtrlId.UserName=1502 Dlg.CtrlId.Password=1503 Dlg.CtrlId.Domain=1504 Option.CaptureFromDlg=No Option.EntryMode.UserName=0 Option.EntryMode.Password=0 Option.EntryMode.Domain=2 [PRM_GINA.XP.LogonDialog] OS.MajorVersion=5 OS.MinorVersion=1 OrigDll.Name=PRM_GINA.DLL Window.Title=Any Window.Class=#32770 Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=1502 Dlg.CtrlId.Password=1503 Dlg.CtrlId.Domain=1504 Option.CaptureFromDlg=No Option.EntryMode.UserName=0 Option.EntryMode.Password=0 Option.EntryMode.Domain=2 [CSGina.W2K.LogonDialog] ;This section for Ciscos Gina for Windows 2000 which is the same as the standard one, but ;has a different extention. OS.MajorVersion=5 OS.MinorVersion=0 OrigDll.Name=CSGINA.DLL Window.Title=Any Window.Class=#32770 Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=1502 Dlg.CtrlId.Password=1503 Dlg.CtrlId.Domain=1504 Option.CaptureFromDlg=No Option.EntryMode.UserName=0 Option.EntryMode.Password=0 Option.EntryMode.Domain=2 [MSGina.XP.LogonDialog] OS.MajorVersion=5 OS.MinorVersion=01 OrigDll.Name=MSGINA.DLL Window.Title=Any Window.Class=#32770 Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=1502 Dlg.CtrlId.Password=1503 Dlg.CtrlId.Domain=1504 Option.CaptureFromDlg=Yes Option.EntryMode.UserName=0 Option.EntryMode.Password=0 Option.EntryMode.Domain=2 [IPASS.XP.LogonDialog] OS.MajorVersion=5 OS.MinorVersion=1 OrigDll.Name=ipgina.dll Window.Title=Any
Endpoint Encryption Configuration Files
| 89
Window.Class=#32770 Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=1502 Dlg.CtrlId.Password=1503 Dlg.CtrlId.Domain=1504 Option.CaptureFromDlg=No Option.EntryMode.UserName=0 Option.EntryMode.Password=0 Option.EntryMode.Domain=2 ;this one just trys the standard settings... [TRYIT.XP.LogonDialog] OS.MajorVersion=5 OS.MinorVersion=1 OrigDll.Name=Any Window.Title=Any Window.Class=#32770 Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=1502 Dlg.CtrlId.Password=1503 Dlg.CtrlId.Domain=1504 Option.CaptureFromDlg=No Option.EntryMode.UserName=0 Option.EntryMode.Password=0 Option.EntryMode.Domain=2 [MSGina.XP.LockedDialog] OS.MajorVersion=5 OS.MinorVersion=01 OrigDll.Name=MSGINA.DLL Window.Title=Any Window.Class=#32770 Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=1953 Dlg.CtrlId.Password=1954 Dlg.CtrlId.Domain=1956 Option.CaptureFromDlg=Yes Option.EntryMode.UserName=0 Option.EntryMode.Password=0 Option.EntryMode.Domain=2 [MSGina.WIN2003.LogonDialog] OS.MajorVersion=5 OS.MinorVersion=02 OrigDll.Name=MSGINA.DLL Window.Title=Any Window.Class=#32770 Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=1502 Dlg.CtrlId.Password=1503 Dlg.CtrlId.Domain=1504 Option.CaptureFromDlg=Yes Option.EntryMode.UserName=0 Option.EntryMode.Password=0 Option.EntryMode.Domain=2 [NWGina.NT.LogonDialog] OS.MajorVersion=Any OS.MinorVersion=Any OrigDll.Name=NWGINA.DLL OrigDll.FileVersion=x.x.x.x Window.Title=Any
Endpoint Encryption Configuration Files
90 |
Window.Class=#32770 Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=1202 Dlg.CtrlId.Password=1204 Dlg.CtrlId.Domain=1001 Option.CaptureFromDlg=Yes Option.EntryMode.UserName=0 Option.EntryMode.Password=1 Option.EntryMode.Domain=2 Option.CtrlId.UserName.Preceeding=1201 Option.CtrlId.Password.Preceeding=1203 Option.CtrlId.Domain.Preceeding=2204,2203 [NWGinaJP.NT.LogonDialog] OS.MajorVersion=Any OS.MinorVersion=Any OrigDll.Name=NWGINA.DLL OrigDll.FileVersion=x.x.x.x Window.Title=Any Window.Class=#32770 Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=3002 Dlg.CtrlId.Password=3004 Dlg.CtrlId.Domain=1001 Option.CaptureFromDlg=Yes Option.EntryMode.UserName=0 Option.EntryMode.Password=1 Option.EntryMode.Domain=2 [FSSGina.XP.LogonDialog] OS.MajorVersion=5 OS.MinorVersion=01 OrigDll.Name=FSSGINA.DLL Window.Title=Any Window.Class=Any Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=0 Dlg.CtrlId.Password=1001 Dlg.CtrlId.Domain=0 Option.CaptureFromDlg=Yes Option.EntryMode.UserName=0 Option.EntryMode.Password=1 Option.EntryMode.Domain=2 [FSSGina.XP.LockedDialog] ;This Section for Macnica specifc FSS Gina OS.MajorVersion=5 OS.MinorVersion=01 OrigDll.Name=FSSGINA.DLL Window.Title=Any Window.Class=Any Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=0 Dlg.CtrlId.Password=1001 Dlg.CtrlId.Domain=0 Option.CaptureFromDlg=Yes Option.EntryMode.UserName=0 Option.EntryMode.Password=1 Option.EntryMode.Domain=2
Endpoint Encryption Configuration Files
| 91
;---------------------------------------------------------------------------- ; The logon window definition sections for Win9x/ME ; [MSNP.9x.LogonDialog] OS.MajorVersion=4 OS.MinorVersion=Any OrigDll.Name=MSNP32.DLL OrigDll.FileVersion=x.x.x.x Window.Title=Any Window.Class=#32770 Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=21 Dlg.CtrlId.Password=23 Dlg.CtrlId.Domain=25 Option.CaptureFromDlg=Yes Option.EntryMode.UserName=0 Option.EntryMode.Password=0 Option.EntryMode.Domain=0 [NWNP.9x.LogonDialog] OS.MajorVersion=4 OS.MinorVersion=Any OrigDll.Name=NOVELLNP.DLL OrigDll.FileVersion=x.x.x.x Window.Title=Any Window.Class=#32770 Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=1202 Dlg.CtrlId.Password=1204 Dlg.CtrlId.Domain=1001 Option.CaptureFromDlg=Yes Option.EntryMode.UserName=0 Option.EntryMode.Password=1 Option.EntryMode.Domain=0 [NWNPJP.9x.LogonDialog] OS.MajorVersion=4 OS.MinorVersion=Any OrigDll.Name=NOVELLNP.DLL OrigDll.FileVersion=x.x.x.x Window.Title=Any Window.Class=#32770 Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=3002 Dlg.CtrlId.Password=3004 Dlg.CtrlId.Domain=1001 Option.CaptureFromDlg=Yes Option.EntryMode.UserName=0 Option.EntryMode.Password=1 Option.EntryMode.Domain=0
sberrors.ini This file is used to increase the detail available in on-screen error messages. You can
add further descriptions to errors by amending this file.
Endpoint Encryption Configuration Files
92 |
sbhelp.ini This file is used to match on-screen windows to their help file sections.
sbfeatur.ini This file controls the feature set available to Endpoint Encryption. This file is digitally
signed by the Endpoint Encryption team and must not be modified.
scm.ini Configuration manager file, controls options such as which directory to connect to, and
which group to install into.
[Install] GroupID=the ID of the group this machine will relate to [Databases] DatabaseID1=1 TryLastGoodFirst=Yes LastGoodConnection=1 [Uninstall] Sbsetup.exe=sbsetup.exe
You can specify the maximum number of lines to hold in the SCMLOG.txt file using the
following parameters. If scmlog reaches a size of beyond 10,000 lines, performance of
your machine can suffer.
[Log] MaxSize=number of KB keep in log (128). PurgeSize=number of KB to delete when log reaches MaxSize (16).
You can specify the pre-configuration connection behavior by setting the following
parameters
[Defaults] ;this section defines settings that apply before the SafeBoot is ;actually active on the machine. BootSynchDelay=0 ; delay before synching on boot in minutes RandSynchDelay=0 ; an extra max random delay to synch in minutes SynchInterval=0 ; time between automatically retrying synch
You can turn on tracing of the Endpoint Encryption client with the following section.
Trace is output to SBCM.log in the same directory of the application.
[Debug] Trace=1 ;Trace activity, 1 = on, 0 = off
You can set a message to be displayed and a timeout when an administrator performs
a remote shutdown of the client (using the machine/Reboot menu option).
[Reboot] Message=some text to display Timeout=10 (seconds)
Endpoint Encryption Configuration Files
| 93
[disk] Sbfs.defaultsize=10 ;Default size of SafeBoot.FS (in MB) Install.clearcryptlist=1(0) ;Determines whether to clear the cryptlist ;for a drive on install, or to leave it set. Boot.message=Starting SafeBoot %d%d
;The default starting message [boot] Hookflags=… ;Internal use only – do not change.
defscm.ini You can pre-set parameters used in the SCM.ini file created within install sets by
creating a file “defscm.ini” in the Administration system directory containing the lines
and sections you want to pre-define. defscm.ini is used as a seed to create the unique
scm.ini file for the install set.
sdmcfg.ini This file is used by the Endpoint Encryption Client to control the connection to the
Object Directory. There may be many connections listed in the file, the multi-
connection behavior is controlled through scm.ini.
[Databases]
Database1=192.168.20.57 The ip address for the remote server. This can be a DNS name.
[Database1] Description=SH-DELL-W2K IsLocal=No Authenticate=Yes Port=5555
ServerKey=… The public key for the remote Server. This is used to stop a hacker putting a rogue server in place and intercepting the traffic.
ExtraInfo=… Padding for the
Endpoint Encryption Configuration Files
94 |
serverkey.
TrivialPwds.dat This file provides a dictionary of forbidden passwords. Simply create a Unicode text
file, with one password per line, and deploy it to the client machines. You need to
enable the user template option “no simple passwords”
The file needs to be deployed to the “[appdir]\SBTokens\Data” folder.
NOTE: It is more effective to restrict passwords using a template which insists on numeric or special
characters, rather than supply a long list of forbidden words.
Bootcode.ini Bootcode.ini defines the behaviour of the Endpoint Encryption pre-boot environment.
This file is not commonly modified by the end user as it is a system only file. The file is
stored in Endpoint Encryption’s pre-boot environment in the \boot directory.
[TokenSelect] ; the token type id of the last token the user selected. Default=0x01000000 [Locale] ; ; the user selected language to use (reference a key in the [Languages] section ; of the \Locale\Locale.ini file). ; Language=EnglishUS ; ; the user selected keyboard to use (reference a key in the [Keyboards] section ; of the \Locale\Locale.ini file). ; Keyboard=US [Audit] ; ; The maximum alllowed audit events ; MaxEvents=3000 ; ; The number of events to remove when the maximum is reached ; PurgeCount=300
BootManager.INI This file controls the partition names specified when the Endpoint Encryption Boot
Manager is enabled. The file is stored in Endpoint Encryption’s pre-boot environment in
the \boot directory.
[Partition.Names] Partition0=My secure partition Partition1=My Insecure partition
Endpoint Encryption Configuration Files
| 95
Errors.XML This is an XML version of SBErrors.ini to allow Unicode translation. Endpoint Encryption
for PC uses SBErrors.XML instead of SBErrors.ini if both exist.
AutoBoot.ini The autoboot.ini file allows you to set a unique default password for the $autoboot$
user(s). The file is created in the [appdir]\Boot directory in the following format:
[AutoBoot]
Password=mypassword
SbClientFileSet.ini The SbClientFileSet.ini file is used to define what files are imported into the database.
SBWinLogonOpts.XML This file can be used to exclude users from single-sign-on logon, e.g. VMware user
accounts can overwrite the single-sign-on even though the “Must Match the Window
user name” option has been selected.
- <SafeBoot> - <SetSbPwd> - <Exclusions> <User name="__Vmware_User__" /> </Exclusions> </SetSbPwd> </SafeBoot>
SBCP.INI Microsoft has introduced a new logon method for the Vista operating system: a
credential provider (CP) that will replace the MSGina.dll. This CP works differently to
the MSGina, for example, each credential provider, rather than be cascaded, can be
active next to each other. If you enable the Require Endpoint Encryption logon
option in the Machine General Windows Logon options, then the Endpoint
Encryption credential provider is activated on the client's Windows logon; be aware
that all other credential providers will also be available.
The SBCP.ini activates the CP. If a customer requires another CP to run in parallel,
this can be defined in the SbCp.ini (in the Endpoint Encryption client directory).
Create the SBCP.ini; to enable all other credential providers add:
[CredentialProvider.Filter]
DefaultAction=Enable
If you want to enable/disable specific credential providers, then add entries to the
section [CredentialProvider.Filter.Providers] containing the credential provider's
Endpoint Encryption Configuration Files
96 |
GUID on the left and either "Enable" or "Disable" on the right. For example, to enable
just MS password credential provider you would add:
[CredentialProvider.Filter]
DefaultAction=Disable
[CredentialProvider.Filter.Providers]
{6f45dc1e-5384-457a-bc13-2cd81b0d28ed}=Enable
Setting up other multiple domains in the logon dialog box
The WindowCredentials.Domains section of the SBCP.ini allows you to specify other
domains which the user can select during single sign on.
The content of this section will determine what appears in the logon dialog box. See
example below.
[WindowsCredentials.Domains] ; ; Lists the domains to be added to the domain list. Note that the left side of the equals can be any value - it is ignored (of course it must be unique for this section). ; 1=MyDomain1 2=MyDomain2 3=MyDomain3 [WindowsCredentials.Options] ; ; Set this to "No" to prevent the local computer name automatically being added to the list of domains. ; AddLocalComputerToDomains=Yes ; ; Sets the domain to select as the default. If this is not specified, the current domain for the system is selected if there is one or the local computer name if there is not. ; DefaultDomain=MyDomain1 ; ; If set to "Yes", the domain box will only list domains that the system marks as domain controllers. If set to "No" (the default), all servers will be listed. ; DomainControllersOnly=No ; ; If set to "Yes", then the username and the domain of the last logged on user is automatically filled in (if it is available). ; SelectLastUsed=Yes
Deploying the SBCP.ini file
When you create this file, you can import it into the Endpoint Encryption for PC Client
Files file group, or alternatively, create a new file group, specify its function as “Client
Files” and assign it to a machine. See the File Groups and Management chapter for
further information.
Endpoint Encryption Program and Driver Files
| 97
Endpoint Encryption Program and Driver Files
EXE Files
SafeTech
SafeTech is the disaster recovery tool for Endpoint Encryption client.
Setup
Setup.exe is the core executable in Endpoint Encryption’s' packaging mechanism. It is
used as an exe stub for the install package and also handles the de-install process.
Setup takes one parameter "-Uninstall" which prompts it to walk through
sbfiles41.lst, deleting files (or marking them for deletion if they are in use) and
reversing registry settings. Setup also re-runs any installation executables with the -
Uninstall flag to remove programs. The order of removal is reverse to the install, i.e.
Installation executables, registry settings, files.
SBTokWatch
The SBTokWatch.exe file notifies Endpoint Encryption for PC when a token has been
removed. This is for Vista installations only.
DLL Files
sbalgxx
The Utility Encryption algorithm module.
sbgina
Windows login pass through GINA driver for NT / 2000.
Usually Endpoint Encryption monitors the GINA settings in the registry to ensure that
nothing removes or disables the login system. You can change the behavior of this
system by editing the SB-NoUpdateGina DWORD key in
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]. The following
values can be set:
0 - SafeBoot will install and remove it's Gina 1 - SafeBoot will *not* install it's Gina, but will remove it. 2 - SafeBoot will *not* remove it's Gina, but will install it. 3 - SafeBoot will *not* install or remove it's Gina.
Endpoint Encryption Program and Driver Files
98 |
You can use these settings to force compatibility with other GINA replacement login
systems. If you use option 1,2,3 you are responsible for keeping the GINA chain
correct, as Endpoint Encryption will not be monitoring some aspects of it .
SYS Files
SafeBoot.SYS
The core device driver for Endpoint Encryption, handling crypt of the disk, and
management functions.
You can block the use of Safe Mode when Endpoint Encryption is installed by setting
the following parameters. These options are included in the BlockSafeMode file group
option in Endpoint Encryption for PC.
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SafeBoot] ;Prevent Safe Mode access if SafeBoot is activated PreventSafeMode=dword:00000001 ;The warning message to display (default if not set) ;PreventSafeModeMsg="" ;The screen background color (default red) ;PreventSafeModeBkCol=dword:00000000 ;The Screen forground color (default white) ;PreventSafeModeFgCol=dword:0000000f
Endpoint Encryption for PC uses several sectors of the hard disk between 1 and 63 -
commonly termed the “partition gap” - to store power fail information while encryption
and decryption is in progress. If you have other applications also using these sectors,
you can exclude them from the range used by specifying registry settings as below.
For each sector you need to exclude, add a DWORD value of 1 with a name of the
decimal sector number to the following registry key as follows:
[HKLM\Software\SafeBoot International\SafeBoot\DiskManager\ExcludedSectors] 14=dword:1 15=dword:1
You can specify any number of exclusions using this method, but be aware that at
least two sectors are required, and the smaller the number available, the slower
encryption processes will run.
You can add this information to the client NTDRV.SRG registry file to ensure it is
applied on all machines at point of install.
SBALG.SYS
This file is Endpoint Encryption’s device driver crypto algorithm module.
Endpoint Encryption Program and Driver Files
| 99
SafeBoot.CSC/RSV
Endpoint Encryption pre-boot sector chain for the boot loader. The SafeBoot.csc file
was renamed to SafeBoot.RSV in v5.01 for better defrag protection.
SafeBoot.FS
This file is the encrypted pre-boot environment (stored as a single file).
SbRegFlt
This file is applicable to Vista installations only. It allows the administrator to properly
support auto logon, i.e. ensure the control-alt-delete behavior is correct for single sign
on.
Other Files
srg files
Endpoint Encryption registry files – these are standard regedit files which are
processed into the registry by Endpoint Encryption, without using the windows regedit
utility.
WinTech and SafeTech
100 |
WinTech and SafeTech WinTech and SafeTech are Endpoint Encryption’s disaster recovery and diagnostic
tools. They should only be used in the event of a catastrophic failure of the machine,
for example, after severe hard disk corruption, virus attack, or, a complete OS failure.
WinTech and SafeTech can perform the following functions:
• Decrypt the drive using information obtained from the Endpoint Encryption
Manager.
• Start the Endpoint Encryption Emergency Repair process.
• Perform forensic analysis on encrypted data.
These tools should only be used by trained Endpoint Encryption staff. For more
information, and access to the WinTech and SafeTech Administration Guide, please
contact your McAfee representative.
Themes & Localization
| 101
Themes & Localization Endpoint Encryption for PC is the most flexible product of its kind in terms of
localization capabilities. It supports unlimited numbers of pre-boot languages and
keyboards, and offers full localized pre-boot on screen keyboard and automatic
language detection.
You can also restyle almost any aspect of the pre-boot interface, from changing colors
and graphics, to moving buttons and text on the screen.
Endpoint Encryption provides full localization and customization services, but for those
interested, the following information is provided to help you gain experience of how all
the components fit together. We provide numerous languages and graphical layouts
(themes) with our product. Readers are strongly advised to look to those while
reading these sections to understand how they work.
A tip to future theme designers – the Endpoint Encryption for PC client will synchronize
any file changes found in the [appdir]\locale and [appdir]\graphics trees into the
Endpoint Encryption pre-boot file system on every policy sync event, so, rather than
making your changes and uploading them to the Endpoint Encryption Manager, you
can simply change the files directly on a Endpoint Encryption client and perform a sync
event to load them into the pre-boot. A successful sync is not required – only an
attempt.
Themes Endpoint Encryption for PC uses graphical “Themes” to control the look and feel of the
pre-boot environment. These Themes are stored as “Client File” type file sets within
the Endpoint Encryption Object Directory. Only one theme can be assigned to a
machine at any time.
To assign a theme to a Endpoint Encryption for PC machine, simply enable its file set
from the “Files” tab of either the machine, or machine group properties.
Themes are comprised of the following components:
File or Directory Description
Graphics
Graphics.ini
Master definition file for the graphical theme. This file dictates the overall look of the theme, the button an d window positions, and the various graphical elements which are used for each resolution.
ENGLISH The English language font files
Themes & Localization
102 |
File or Directory Description
640x480
800x600
1024x768
1280x960
1280x1024
1400x1050
1440x900
1440x1050
1600x1200
1680x1050
1680x1280
1920x1440
Images for this resolution
Images for this resolution
Images for this resolution
Images for this resolution
Images for this resolution
Images for this resolution
Images for this resolution
Images for this resolution
Images for this resolution
Images for this resolution
Images for this resolution
Images for this resolution
Shared Shared images used in all modes
Locale
Locale.ini
Language Translations. This file sets all the options re various language and keyboard support options. The options in Local.ini determine which font sets from Graphics.ini are used.
Table 6. Theme Overview
For information about the parameters in the Graphics.ini and Local.ini files, see the
example theme which has fully commented versions.
Keyboards
Physical Keyboard Layouts
Endpoint Encryption for PC supports many physical keyboard layouts, and also
supports automatic detection of the Windows keyboard layout in an attempt to choose
the most appropriate pre-boot layout.
Themes & Localization
| 103
Having the correct pre-boot layout selected is essential when authenticating, for
example, imagine the user has the French keyboard enabled in Windows, but has the
USA keyboard enabled in Endpoint Encryption for PC Pre-Boot.
Row 2 of the French keyboard begins “azerty…” whereas row 2 of a USA keyboard
begins “qwerty…” – so if the users password contains either “a” or “z”, then they will
not be able to press the same keys in pre-boot to authenticate.
Defining and adding layouts to the Endpoint Encryption PBA
Endpoint Encryption for PC can support an unlimited number of different keyboard
layouts. To define which layouts are available, usually you simply need to select the
appropriate file group for a machine and the layout will be added.
The PBA determines which layouts are installed by considering the Locale\Locale.ini
file in the pre-boot environment. This file is synchronised along with the entire [app-
dir]\locale directory each time the machine performs a sync operation.
An example keyboard layout is defined as follows in Locale.ini:
Node Description
;Norwegian Stub
;B5100
[Settings]
DefaultKeyboard=0414
Defines the default keyboard if no mapping in [LanguageIDMap] can be determined
[Keyboards]
0414=Keyboard.0414
043B=Keyboard.043B
Defines the list of possible keyboards. In this example, two keyboards are defined (0414 and 043B), which are described in the sections keyboard.0414 and keyboard.043b. The definition names and section names are arbitary, but we recommend you use the actual keyboard ID for consistency.
[Keyboard.0414]
name=Norwegian
mapfile=0414_E.MAP
OSK=0414_OSK.XML
This is a keyboard definition section, it describes the name of the keyboard (displayed in the selection list), the map file to use (stored in \Locale), and the On screen keyboard file to use (again, stored in \locale)
Instead of using the “name” tag, you can use NameW which takes a comma separated list of
Themes & Localization
104 |
Node Description
hex char codes, for example:
NameW=32,54,23,6A,43DF
With NameW you can display Unicode chars which are useful when defining double‐byte languages.
[Keyboard.043B]
name=Norwegian with Sami
mapfile=043B_E.MAP
OSK=043B_OSK.XML
[LanguageIDMap]
0414.Keyboard=0414
043B.Keyboard=043B
This section describes how the client should attempt to map the selected Windows keyboard to the pre‐boot keyboards.
0414.Keyboard=0414 indicates if Windows is using a keyboard with the ID 0414, Endpoint Encryption should use the keyboard described in [keyboards] under the definition name 0414.
Table 7. Keyboard definition in Locale.ini
Locale.ini
Normally Language and keyboard layouts are defined within the Endpoint Encryption
Database, and each language has a locale.ini file configured as a Merge INI. This
system enables administrators to add and remove languages without having to define
the exact set prior to distribution. As all keyboards and Languages are defined in the
same Locale.ini file, without merge INIs you would have to create a locale.ini file
describing the exact combination of keyboards and locales prior to sending it to a
Endpoint Encryption for PC client.
For examples of how to define a Locale.ini, see one of the supplied languages stored in
the Endpoint Encryption Manager install directory \Languages tree.
NOTE: If the language is changed in Windows, then auto detect will not work. The new language file for
preboot and keyboard should be deployed using file groups. Select the language file from file groups and
apply it to the machine or group. The machine or machine group must then synchronize with the admin
system.
Themes & Localization
| 105
The user(s) must then restart their machines. In the preboot screen they must select
“Options”. This will load a menu. They must then select “Options” from this menu.
From the “Options” screen you can then specify the preboot language and the
keyboard language.
Creating your own Keyboard Layout
Keyboard layouts are compiled from a source text file with the following structure:
Name=the keyboard name Flags=keyboard flags Scancode=Unicode char number, mask, keystate…
For example:
flags=0x8000007C NAME=Norwegian with Sami ;---- 0x02=0x0031,0x009F,0x0000 ;-normal 0x02=0x0021,0x009F,0x0010 ;-shift 0x02=0x0000,0x009F,0x0009 ;-altgr 0x02=0x0031,0x009F,0x0080 ;-caps 0x02=0x0000,0x009F,0x0090 ;-shiftcaps 0x02=0x0000,0x009F,0x0019 ;-shiftaltgr 0x02=0x0000,0x009F,0x0089 ;-altgrcaps 0x02=0x0000,0x009F,0x0099 ;-shiftaltgrcaps
The keyboard map source file is comprised of the following components:
Node Description
flags Operational flags which control the behaviour of this keyboard map. Defined flags include:
0x00000001 Caps is Shift
0x00000002 Shift unsets Caps
0x00000004 Acute
0x00000008 Grave
0x00000010 Circumflex
0x00000020 Umlaut (Diaresis)
0x00000040 Tilde
0x00000080 Caron
0x00000100 Apostrophe
Themes & Localization
106 |
Node Description
0x00000200 Cedliia
0x00000400 Breve
0x00000800 Ogonek
0x00001000 Dotabove
0x00002000 DoubleAcute
0x00004000 Degree
0x00008000 Tonos
0x00010000 Middle Dot
0x00020000 Low Nine
0x00040000 Dialytika
0x00080000 Quotation
0x00100000 Polish Programmers Tilde
0x00200000 Ring Above
0x00400000 Macron
0x80000000 Extended Mode (should always be enabled)
Name The keyboard name
Key definitions Each key (scan code) behaviour is defined in a number of entries which state the Unicode character which should be produced. Each key may have many states (normal, shifted, caps etc) so there may be multiple entries per key.
The possible states are defined with a mask (which keys to consider) and a state (the key state itself)
The possible keys you can use in the mask and keystate are:
RIGHT_ALT_PRESSED 0x0001
LEFT_ALT_PRESSED 0x0002
Themes & Localization
| 107
Node Description
RIGHT_CTRL_PRESSED 0x0004
LEFT_CTRL_PRESSED 0x0008
SHIFT_PRESSED 0x0010
NUMLOCK_ON 0x0020
SCROLLLOCK_ON 0x0040
CAPSLOCK_ON 0x0080
ENHANCED_KEY 0x0100
So as an example, to define key 2 (the number 1 key on a USA keyboard) you would add an entry for scan code 0x02 (the scan code of this key) followed by a number of possible key states.
0x02=0x0031,0x009F,0x0000
Would define the number 1 key to display the char “1” in the situation that none (keystate of 0x000) of the modifiers capslock, shift, left‐alt, right‐ctrl, left‐ctrl and right‐alt (0x09F) is pressed.
To define the behaviour of this key when shift alone is pressed we use the following line:
0x02=0x0021,0x009F,0x0010
As above, if key 2 is pressed, create a quotation mark (Unicode char 21) if shift (0x0010) is pressed out of the combination of capslock, shift, left‐alt, right‐ctrl, left‐ctrl and right‐alt (0x09F).
Themes & Localization
108 |
Node Description
Of course, in both the cases above, the keys not considered in the keystate must not be pressed.
The Mask defines which keys to consider, and the keystate defines the state of each of those keys.
Table 8. Keyboard map source file
If you wish to create a custom keyboard map, you will need to have it compiled by
Endpoint Encryption before it can be used.
On Screen Keyboards
On-Screen keyboards provide visual representation of the physical keyboard. Each
keyboard map can be defined to provide either its own OSK, or, the system default
OSK (US English). The symbols on each key can be defined for the normal, alt, altgr,
shift, caps, and ctrl states, and also any combination of states.
OSK’s are defined in Endpoint Encryption pre-boot using an XML file which controls the
layout (key spacing, number of rows etc), and the display char for each key. The OSK
file (keyboardID_OSK.XML) is usually stored in the SBFS\Locale directory.
The can be many OSK’s installed, and each physical keyboard map can choose one of
the installed OSK’s to display on request.
Administrators can choose to always display an OSK for the user by selecting the
“always display on-screen keyboard” option of the Machine/General properties.
NOTE: Though the OSK displays the character for each possible state, the OSK sends the scan code and
modifier (shift/alt etc) to the selected keyboard driver for conversion, so the actual character printed will be
a result of the keyboard driver, NOT necessarily the one displayed on the OSK.
A Sample OSK Keyboard could be defined as follows:
<?xml version="1.0" encoding="UTF-16"?> <keyboard> <options col="lightgray" button_col="lightgray" border_col="black" txt_col="black" font="System" down_col="blue" button_style="square" border_width="3"> </options> <layout id="English (US)"> <layout> <row>
Themes & Localization
| 109
<key id="18" obey-caps="true" scancode="0x11"> <default display="w" /> <shifted display="W" /> <caps display="W" /> <alt_gr display="GR" /> <text state="alt+shift" display="AS" /> <text state="alt+shift+ctrl" display="ASC" /> <text state="shift+ctrl" display="SC" /> <text state="caps+shift" display="PS" /> <text state="altgr+ctrl" display="GC" /> </key> <key id=”19” obey-caps=”false” scancode=”0x056”> … </key> <row> … </row> </layout> </keyboard>
The following nodes should be considered:
Node Description
Options/font The name of the font used by this OSK. This should be defined in graphics.ini and needs to be an OnTime Binary font
Layout ID The name of this OSK layout – displayed in the title bar of the OSK
Key/ID
A decimal representation of the key – usually the decimal scan code ID
Key/Obey‐Caps If this key is subject to any caps state switching, this should be set to true.
Key/Scancode The Scancode produced by this key
Key/default The default display char
Key/shifted The shifted display char
Key/caps The caps lock state char
Key/alt_gr The alt_gr state char
Key/text/state The combination states for this key – The text/state attribute takes precedence over the key/default key/shift
Themes & Localization
110 |
Node Description
etc states. You can specify single states, for example
Text state=”shift” display=”Q”
Or combination states, for example
Text state=”shift+altgr” display=”%”
For any key to consider any caps behaviour, the key/obey_caps needs to be true.
Table 9. On Screen Keyboard Source
To set which OSK is displayed per keyboard map, add an “OSK=” tag to the keyboard
definition in locale.ini, for example:
[Keyboard.043B] name=Norwegian with Sami mapfile=043B_E.MAP OSK=043B_OSK.XML
Node Description
Name The display name of the Keyboard
Mapfile The name of the map file to use to map the key presses to chars
OSK The name of the OSK file to display
Table 10. On Screen Keyboard Definition
Pre-Boot Language Endpoint Encryption for PC supports many languages, and also supports automatic
detection (Note: this is only during Endpoint Encryption activation) of the Windows
Language in an attempt to choose the most appropriate pre-boot language.
NOTE: If the language is changed in Windows, then auto detect will not work. The new language file for
preboot and keyboard should be deployed using file groups. Select the language file from file groups and
apply it to the machine or group. The machine or machine group must then synchronize with the admin
system.
Themes & Localization
| 111
The user(s) must then restart their machines. In the preboot screen they must select “Options”. This will
load a menu. They must then select “Options” from this menu. From the “Options” screen you can then
specify the preboot language and the keyboard language.
The selectable languages are defined in the SBFS Locale\Locale.ini file, for example:
Node Description
Chinese Stub
;B5100
[Settings]
DefaultLanguage=0804
The default language to use if no mapping is found in the [LanguageIDMap] section
[Languages]
0804=Lang.0804
0404=Lang.0404
The defined languages – Both the definition name and section name are arbitrary.
[LanguageIDMap]
0804.Language=0804
0404.Language=0404
0004.Language=0804
0C04.Language=0404
0404.Keyboard=0404
0804.Keyboard=0804
The Windows language to Endpoint Encryption Pre‐Boot language map.
For example, if Windows is using the Locale 0404, then the Pre‐boot should use the definition 0404 for its language.
Both the major and minor language can be checked, so in this example both Windows languages 0804 and 0004 use the Endpoint Encryption pre‐boot definition section 0804. If the primary variant for example 0F04 is found in Windows, then 0004 will be used in Endpoint Encryption
[Lang.0804]
;Name=Chinese Simplified (PRC)
NameW=,0020,0050,0052,0043,0029
ID=0804
StringFile=0804.STR
FontSection=Fonts.SuperFont
This section defines a language.
The Name tag is the name displayed in the pre‐boot selection list. You can supply a NameW tag instead which takes a comma separated list of char codes. This enables you to set a Unicode name for the list.
The ID describes the Locale ID, this should be the ANSI recognised ID for this
Themes & Localization
112 |
Node Description
languages.
The StringFile describes the actual compiled definition file to use (stored in \locale).
The FontSection describes the section in Graphics.ini which contains the fonts to be used for this particular language.
Each language can use its own fonts, or can use fonts shared by other languages.
Table 11. Pre‐Boot Language Definition
Creating your own Language file
Endpoint Encryption for PC Language files are created from a Unicode master which
describes the text to display for each defined pre-boot message, for example:
Name=Chinese (Simplified) ID=0804 1=确定 2=取消 3=SafeBoot 4=是 5=否
50=请插入一张引导用的软盘或者按取消从硬盘引导。
100=SafeBoot登录
101=用户名:
102=密码:
103=修改密码
51=您不允许从软盘引导,系统将从硬盘引导。
You can obtain a pre-boot English master text file from your Endpoint Encryption
distributor. Once translated, the file needs to be compiled by Endpoint Encryption.
Normally Language and keyboard layouts are defined within the Endpoint Encryption
Database, and each language has a locale.ini file configured as a “Merge Ini”. This
system enables administrators to add and remove languages without having to define
the exact set prior to distribution. As all keyboards and Languages are defined in the
same Locale.ini file, without merge INIs you would have to create a locale.ini file
describing the exact combination of keyboards and locales prior to sending it to a
Endpoint Encryption for PC client.
Themes & Localization
| 113
For examples of how to define a Locale.ini, see one of the supplied languages stored in
the Endpoint Encryption Manager install directory \Languages tree.
Pre Boot Token Descriptions You can localise the token names used in the Endpoint Encryption for PC by adding a
XML definition file to the [appdir]\SBTokens\Languages directory. The client searches
for resources in the following order:
• The [appdir]\SBTokens\Languages \LanguageID directory
• The [appdir]\SBTokens\Languages \LanguageMajor directory
• The [appdir]\SBTokens\Languages directory
For example, on a US English system (Language ID 0409) Endpoint Encryption for PC
will look for token resources in [appdir]\SBTokes\Languages\0409, then [appdir]\
SBTokens\ Languages\ 0009, then [appdir]\ SBTokens\ Languages then
[appdir]\ SBTokens\Languages.
The definition file for each token is described in an XML file with the name
Token_tokenID.xml as follows:
Node Description
<SbTokenInformation>
<Token type="xxxxxxxx"> The ID of the Token ‐ see the Tokens section of this guide.
<PromptName>prompr text</PromptName>
The text to display in the login box
<ListName>list text</ListName>
The text to display in the list of tokens
</Token> </SbTokenInformation>
Table 12. Token Translation File
Windows Languages Endpoint Encryption for PC uses resource DLL’s and other files to convert its Windows
components to display in alternate languages.
The client searches for resources in the following order:
• Looks to the [appdir]\Languages\LanguageID directory
• Looks to the [appdir]\Languages\LanguageMajor directory
Themes & Localization
114 |
• Looks to the [appdir]\Languages directory
• Looks to the [appdir] directory and uses built in resources
For example, on a US English system (Language ID 0409) Endpoint Encryption for PC
will look for resources in [appdir]\Languages\0409, then [appdir]\Languages\0009,
then [appdir]\Languages then [appdir]
The following components are supported for localization:
• DLL resources (Windows resources)
• SBErrors.XML (Unicode Error code descriptions)
• SBErrors.INI (ASCII Error code descriptions)
• SBClient.CHM (Help file)
• SBHelp.INI (Help file index)
Troubleshooting PCs
| 115
Troubleshooting PCs For the latest information on Endpoint Encryption issues, patches and information
please see our web site, www.mcafee.com. We maintain several sections with the
latest tips from our implementation teams, and any suggested changes and updates.
You can also subscribe to an update list which uses e-mail to keep you informed of any
significant issues.
Error Messages
116 |
Error Messages Please see the file sberrors.ini for more details of these error messages. You can also
find more information on error messages on our web site, www.mcafee.com.
Module codes The following codes can be used to identify from which Endpoint Encryption module
the error message was generated.
Error Code Module
1c00 IPC
5501 SBHTTP Page Errors
5502 SBHTTP User Web Recovery
5c00 SBCOM Protocol
5c02 SBCOM Crypto
a100 ALG
c100 Scripting
db00 Database Misc
db01 Database Objects
db02 Database Attributes
e000 Endpoint Encryption General
e001 Endpoint Encryption Tokens
e002 Endpoint Encryption Disk
e003 Endpoint Encryption SBFS
e004 Endpoint Encryption BootCode
e005 Endpoint Encryption Client
e006 Endpoint Encryption Algorithms
e007 Endpoint Encryption Users
Error Messages
| 117
Error Code Module
e010 Endpoint Encryption Keys
e011 Endpoint Encryption File
e012 Endpoint Encryption Licenses
e013 Endpoint Encryption Installer
e014 Endpoint Encryption Hashes
e015 Endpoint Encryption App Control
e016 Endpoint Encryption Admin
1C000 IPC Errors Code Message and Description
[1c000001] Timeout during IPC
[1c000002] IPC terminated
[1c000003] Unable to initialise IPC
[1c000004] Unknown or unsupported function
[1c000005] Request to send data that is too big
[1c000006] Timeout sending data
[1c000007] Timeout waiting for reply
[1c000008] Out of memory
5C00 Communications Protocol Code Message and Description
[5c000000] Unsupported version
The server and client are not talking the same communications protocol version
[5c000005] Out of memory
Error Messages
118 |
Code Message and Description
[5c000008] A corrupt or unexpected message was received
[5c000009] Unable to load the Windows TCP/IP library (WSOCK32.DLL)
Check that the TCP/IP protocol is installed
[5c00000a] Communications library not initialised
This is an internal programmatic error
[5c00000c] Unable to create TCP/IP socket
[5c00000d] Failed while listening on a TCP/IP socket
[5c00000e] Unable to convert a host name to an IP address
Check the host file or the DNS settings
[5c00000f] Failed to connect to the remote computer
The computer may not be listening or it is too busy to accept connections
[5c000010] Failed while accepting a new TCP/IP connection
[5c000011] Failed while receiving communications data
The remote computer may have reset the connection
[5c000012] Failed while sending communications data
[5c000013] Invalid communications configuration
[5c000014] Invalid context handle
[5c000015] A connection has already been established
[5c000016] No connection has been established
[5c000017] Request for an unknown function has been received
[5c000018] Unsupported or corrupt compressed data received
[5c000019] Data block is too big
[5c00001a] Data of an unexpected length has been received
Error Messages
| 119
Code Message and Description
[5c00001b] Message too big to be received
This may occur if an attempt is made to import large amounts of data into the database (e.g. a file)
[5c00001c] Unable to create thread mute
[5c00001d] Message too big to be sent
This may occur if an attempt is made to import large amounts of data into the database (e.g. a file)
[5c00001e]
Wrong Endpoint Encryption Communications Protocol Version
You are most likely trying to connect to a v4 Endpoint Encryption Server using a v5 Server definition with server authentication enabled.
Check that you do not have both v4 and v5 servers running (perhaps as a service) at the same time.
5C02 Communications Cryptographic Code Message and Description
[5c020000] The Diffie‐Hellmen data is invalid or corrupt
[5c020001] An unsupported encryption algorithm has been requested
[5c020002] An unsupported authentication algorithm has been requested
[5c020003] Unable to sign data
[5c020004] Authentication signature is not valid
[5c020005] Authentication parameters are invalid or corrupt
[5c020006] Failed while generating DSA parameters
[5c020007] No session key has been generated
[5c020008] Unable to authenticate user
[5c020009] Session key too big
Error Messages
120 |
A100 Algorithm Errors Code Message and Description
[a1000000] Not enough memory
[a1000001] Unknown or unsupported function
[a10000002] Invalid handle
[a1000003] Encryption key is too big
[a1000004] Encryption key is too small
[a1000005] Unsupported encryption mode
[a1000006] Invalid memory address
[a1000007] Invalid key data
DB00 Database Errors Code Message and Description
[db000000] Out of memory
[db000001] More data is available
[db000002] The database has not been created or initialised yet
Check the database path or create a new database. To force the new database wizard to be run, delete the SDMCFG.INI file and restart the administration program.
[db000003] Invalid context handle
[db000004] The name was not found in the database
db000005] Authentication was not successful.
Check that you have the correct token for this database
[db000006] Unknown database
[db000007] Invalid database type
[db000008] The database could not be found. Check the database path
Error Messages
| 121
Code Message and Description
settings
[db000009] Database already exists.
Choose a different database path
[db00000a] Unable to create the database
Check the path settings and make sure you have write access to the directory
[db00000b] Invalid database handle
[db00000c] The database is currently in use by another entity
You cannot delete a database while someone is using it
[db00000d] Unable to initialise the database
[db00000e] User aborted
[db00000f] Memory access violation
[db000010] Invalid string
[db000011] No default group has been defined
[db000012] The group could not be found
[db000013] File not found
[db000014] Unable to read file
[db000015] Unable to create file
[db000016] Unable to write to file
[db000017] File corrupt
[db000018] Invalid function
[db000019] Unable to create mutex
[db00001a] Invalid license
Error Messages
122 |
Code Message and Description
The license has been modified so that the signature is now invalid
[db00001b] License has expired
[db00001c] The license is not for this database
Check the database ID and ensure it is the same as the one specified in the license. Each time you create a new database, a different ID is generated. There is no way to change the ID of a database.
[db00001d] You do not have permission to access the object
[db00001e] Endpoint Encryption is currently busy with another task. Please wait for it to complete and try again.
This usually means that your hard disks are in the process of being encrypted or decrypted. You can check the current Endpoint Encryption status from the right‐click menu of the Endpoint Encryption task bar icon.
[db00001f] Endpoint Encryption is still installed on this machine
[db000020] Buffer too small
[db000021] The requested function is not supported
[db000022] Unable to update the boot sector
The disk may be in use by another application or Explorer itself. The disk may be protected by an anti‐virus program.
DB01 Database Objects Code Message and Description
[db010000] The object is locked
Someone else is currently updating the same object
[db010001] Unable to get the object ID
[db010002] Unable to change the object's access mode
Someone else may by accessing the object at the same time. If
Error Messages
| 123
Code Message and Description
you are trying to write to the object while someone else has the object open for reading, you will not be able to change to write mode.
[db010003] Object is in wrong access mode
[db010004] Unable to create the object in the database
The disk may be full or write protected
[db010005] Operation not allowed on the object type
[db010006] Insufficient privilege level
You do not have the access rights required to access the object.
[db010007] The object status is disabled
This is usually associated with User objects. Disabling the user's object prevents them logging on until their account is re‐enabled.
[db010008] The object already exists
[db01000f] The object is in use
[db010010] Object not found
The object has been deleted from the database
[db010011] License has been exceeded for this object type
Check that your licenses are still valid and if not obtain further licenses if necessary
DB02 Database Attributes Code Message and Description
[db020000] Attribute not found
[db020001] Unable to update attribute
[db020002] Unable to get attribute data
[db020003] Invalid offset into attribute data
Error Messages
124 |
Code Message and Description
[db020004] Unable to delete attribute
[db020005] Incorrect attribute length
[db020006] Attribute data required
E000 Endpoint Encryption General Code Message and Description
[e0000000] User aborted
[e0000001] Insufficient memory
[e0000002] Invalid date/time
[e0000010] Invalid date/time. Clock is reporting a time before 1992 or after 2038.
E001 Tokens Code Message and Description
[e0010000] General token error
[e0010001] Token not logged on
[e0010002] Token authentication parameters are incorrect
[e0010003] Unsupported token type
[e0010004] Token is corrupt
[e0010005] The token is invalidated due to too many invalid logon attempts
[e0010006] Too many incorrect authentication attempts
[e0010007] Token recovery key incorrect
[e0010010] The password is too small
[e0010011] The password is too large
[e0010012] The password has already been used before. Please choose a
Error Messages
| 125
Code Message and Description
new one.
[e0010013] The password content is invalid
[e0010014] The password has expired
[e0010015] The password is the default and must be changed.
[e0010016] Password change is disabled
[e0010017] Password entry is disabled
[e0010020] Unknown user
[e0010021] Incorrect user key
[e0010022] The token is not the correct one for the user
[e0010023] Unsupported user configuration item
[e0010024] The user has been invalidated
[e0010025] The user is not active
[e0010026] The user is disabled
[e0010027] Logon for this user is not allowed at this time
[e0010028] No recovery key is available for the user
[e0010030] The algorithm required for the token is not available
[e0010040] Unknown token type
[e0010041] Unable to open token module
[e0010042] Unable to read token module
[e0010043] Unable to write token module
[e0010044] Token file not found
[e0010045] Token type not present
[e0010046] Token system class is not available
Error Messages
126 |
Code Message and Description
[e0018000] Sony Puppy requires fingerprint
[e0018001] Sony Puppy requires password
[e0018002] Sony Puppy not trained
E002 Endpoint Encryption Disk Code Message and Description
[e0000002] Invalid date/time
[e0020000] No more data is available
[e0020001] No more data is available
[e0020002] Unsupported disk driver function
[e0020003] Invalid disk driver request
[e0020004] Disk request buffer too small
[e0020005] Unsupported encryption algorithm
[e0020006] Unknown disk number
[e0020007] Error reading disk sector
[e0020008] Error writing disk sector
[e0020009] Unable to get disk partition information
[e002000a] Endpoint Encryption disk information not present
[e002000b] Not enough space for the Endpoint Encryption disk information
[e002000c] The Endpoint Encryption disk information is invalid
[e002000d] Sector not valid for Endpoint Encryption disk information use
[e002000e] Sector chain is invalid
[e002000f] Sector chain type incorrect
[e0020010] Sector chain sequence number incorrect
Error Messages
| 127
Code Message and Description
[e0020011] Sector chain checksum invalid
[e0020012] Crypt state information too big for available space
[e0020013] Crypt list full
[e0020014] Crypt range too big.
[e0020015] Attempt to crypt while in power fail state not allowed
[e0020016] Attempt to crypt in‐progress I/O
[e0020017] Error communicating with Endpoint Encryption disk driver
[e0020018] Endpoint Encryption disk driver not present
[e0020019] Unsupported disk driver version
[e002001a] No encryption has been key set
[e002001b] Unable to find the system boot disk
[e002001c] Unknown message slot
[e002001d] Message slot data too large
[e002001e] Unable to lock floppy disk driver for access
[e002001f] Unable to access floppy disk
[e0020020] The boot disk type is not supported
[e0020021] Access to driver not permitted
E003 Endpoint Encryption SBFS Code Message and Description
[e0030001] The SafeBot File System is already mounted
[e0030002] Unable to mount the Endpoint Encryption File System
[e0030003] Unable to unmount the Endpoint Encryption File System
[e0030004] The Endpoint Encryption File System is not mounted
Error Messages
128 |
Code Message and Description
[e0030005] Error reading Endpoint Encryption File System sector
[e0030006] Error writing Endpoint Encryption File System sector
[e0030007] Endpoint Encryption File System too fragmented
[e0030008] Endpoint Encryption File System size invalid
[e0030009] Error creating Endpoint Encryption File System host file
[e003000a] Error reading Endpoint Encryption File System host file
[e003000b] Error writing Endpoint Encryption File System host file
[e003000c] Error setting Endpoint Encryption File System host file pointer
[e003000d] Unable to locate sectors corresponding to the Endpoint Encryption File System host file
[e003000e] No host driver found for the Endpoint Encryption File System
E004 Boot Code Image Code Message and Description
[e0040001] Unable to open boot code image file
[e0040002] Error reading boot code image file
[e0040003] Boot code image file too big
[e0040004] Error creating boot code image host file
[e0040005] Error reading boot code image host file
[e0040006] Error writing boot code image host file
[e0040007] Error setting boot code image host file pointer
[e0040008] Unable to locate boot code image host file sectors
[e0040009] No host driver found for boot code image file
[e004000a] Unhandled instruction
Error Messages
| 129
[e004000b] Invalid instruction
[e004000c] Protected mode General Protection Fault
E005 Client Code Message and Description
[e0050001] Endpoint Encryption Client not activated
[e0050002] The Endpoint Encryption Client is already activated
[e0050003] The Endpoint Encryption Client activation is already in progress
[e0050004] The wrong version of the Endpoint Encryption Client is currently active
[e0050005] Unable to save original MBR
[e0050006] Disk Manager not open
[e0050007] Unable to load MBR copy
[e0050008] Unable to load the Endpoint Encryption MBR
[e005000a] Too many work items to perform encryption.
[e005000b] Endpoint Encryption MBR invalid
[e005000c] Endpoint Encryption Client sync failed to start
[e005000d] Endpoint Encryption Client sync already in progress
[e005000e] Key not available to the Endpoint Encryption Client
[e005000f] The recovery key is incorrect
[e0050010] Failed to start cryption
[e0050011] Cryption already in progress
[e0050012] The hard disk key is incorrect
[e0050013] The machine configuration is corrupt or invalid
[e0050014] Unable to load string data
Error Messages
130 |
Code Message and Description
[e0050015] String data is invalid
[e0050016] Incorrect user logon
[e0050017] The isolation period has expired
[e0050018] A possible virus has been detected
[e0050019] Recovery data is invalid
[e005001a] Recovery file version unsupported
[e005001b] Invalid recovery command
[e005001c] Invalid recovery type
[e005001d Recovery data not found
[e005001d] Client not initialized for emergency boot
[e0050020] Unable to open the client data store
[e0050021] The client data store is not open
[e0050022] The client data store already exists
[e0050023] Error creating client data store
[e0050024] Unable to create client data store directory
[e0050025] Client data store in use
[e0050026] Unable to delete client data store
[e0050027] The client data store is corrupt
[e0050028] Unsupported client data store version
[e0050030] Client data store object not found
[e0050031] Client data store object not open
[e0050032] Client data store object not exclusive
[e0050033] Client data store object ID invalid
Error Messages
| 131
Code Message and Description
[e0050034] Client data store object ID already exists
[e0050035] Unable to create client data store object directory
[e0050036] Client data store object name already exists
[e0050037] Unable to read client data store object name
[e0050038] Unable to write client data store object name
[e0050040] Unable to remove client data store object
[e0050041] Client data store attribute not found
[e0050042] Client data store attribute not open
[e0050043] Unable to open client data store attribute
[e0050044] Unable to create client data store attribute
[e0050045] Unable to read client data store attribute
[e0050046] Unable to write data store attribute
[e0050047] Client data store attribute version incorrect
[e0050048] Client data store attribute corrupt
[e0050049] Invalid size of client data store attribute
[e005004a] Access denied to client data store attribute
[e0050060] Upgrade of client is not possible
[e0050061] Upgrade old SbFs is invalid
[e0050062] Upgrade old SbFs not found
[e0050063] Upgrade old SbFs drive not found
[e0050064] Upgrade, unable to read old SbFs
[e0050065] Upgrade, old machine configuration invalid
[e0050066] Upgrade, invalid user data.
Error Messages
132 |
Code Message and Description
[e0050067] Upgrade, user directory version invalid
[e0050068] Upgrade, invalid user directory
[e0050069] Upgrade, unable to get original MB
[e005006a] Upgrade, unable to get audit data
E006 Algorithms
E007 Readers Code Message and Description
[e0070001] Unknown reader type
[e0070002] Unable to open reader module
[e0070003] Unable to read reader module
[e0070004] Unable to write reader module
[e0070005] Reader failure
[e0070006] Unable to create reader context
[e0070007] Invalid reader parameter
[e0070008] Reader not present
[e0070009] Reader timeout
[e007000a] Reader sharing violation
Code Message and Description
[e0060001] Unknown encryption algorithm
[e0060002] Unable to install pre‐boot encryption algorithm module
[e0060003] Error relocation 16‐bit encryption algorithm code
[e0060004] Error initializing 16‐bit encryption algorithm module
[e0060005] 16‐bit encryption algorithm module invalid
Error Messages
| 133
Code Message and Description
[e007000b] Token not present in reader
[e007000c] Reader protocol mismatch
[e007000d] Reader communications error
[e007000e] Token not powered in reader
[e007000f] Token not reset in reader
[e0070010] Token removed from reader
E008 Users Code Message and Description
[e0080001] User configuration invalid or corrupt
[e0080002] User information field index invalid
[e0080003] User has no hard disk encryption key
E010 Keys Code Message and Description
[e0100001] Encryption key too big
[e0100002] Encryption key size invalid
E011 Files Code Message and Description
[e0110001] Unable to create file
[e0110002] Unable to open file
[e0110003] Error reading file
[e0110004] Error writing file
[e0110005] Error setting file pointer
Error Messages
134 |
Code Message and Description
[e0110006] Error getting file size
E012 Licences Code Message and Description
[e0120001] License invalid
[e0120002] License expired
[e0120003] License is not for this database
[e0120004] License count exceeded
E013 Installer Code Message and Description
[e0130002] No installer executable stub found
[e0130003] Unable to read installer executable stub
[e0130004] Unable to create file
[e0130005] Error writing file
[e0130006] Error opening file
[e0130007] Error reading file
[e0130008] Installer file invalid
[e0130009] No more files to install
[e013000a] Install archive block data too large
[e013000b] Install archive data not found
[e013000c] Install archive decompression failed
[e013000d] Unsupported installer archive compression type
[e013000e] Installation error
Error Messages
| 135
Code Message and Description
[e013000f] Unable to create temporary directory
[e0130010] Error registering module
E014 Hashes Code Message and Description
[e0140001] Insufficient memory
[e0140002] Error opening hashes file
[e0140003] Error reading hashes file
[e0140004] Hashes file invalid
[e0140005] Unable to create hashes file
[e0140006] Error writing hashes file
[e0140007] Hashes file is not open
[e0140008] Hashes file data invalid
[e0140009] Hashes file data too big
[e014000a] User aborted
E015 Application Control Code Message and Description
[e0150001] Insufficient memory
[e0150002] Application control invalid parameter
[e0150003] Error communicating with application control driver
[e0150004] Application control driver not installed
[e0150005] Error opening application control log file
[e0150006] Invalid hashes object list
Error Messages
136 |
E016 Administration Center Code Message and Description
[e0160001] Invalid plugin information
xxH: BIOS If Endpoint Encryption’s boot loader detects a hardware error from the BIOS, it reports
the standard error code in the format “Endpoint Encryption ?? Error code H??”
The following list of codes may be reported:
Code Message and Description
01H Invalid function call
02H Address mark not found
03H Disk is write protected
04H Sector not found
05H Reset failed (hard disk)
06H Diskette has been changed
07H Drive parameter activity failed (hard disk)
08H DMA overrun
09H DMA attempted across 64K boundary
0AH Bad sector flag detected (hard disk)
0BH Bad track detected (hard disk)
0CH Unsupported track or invalid media
0DH Invalid number of sectors for Format (hard disk)
0EH Control data address mark detected (hard disk)
0FH DMA arbitration level out of range (hard disk)
10H Uncorrectable CRC or ECC error on read
11H ECC corrected data error (hard disk)
Error Messages
| 137
Code Message and Description
20H Disk controller failure
31H No media in drive
32H Drive does not support media type
40H Seek failed
80H Timeout (disk not ready)
AAH Drive not ready
B0H Volume not locked in drive (INT 13 extensions)
B1H Volume locked in drive (INT 13 extensions)
B2H Volume not removable (INT 13 extensions)
B3H Volume in use (INT 13 extensions)
B4H Lock count exceeded (INT 13 extensions)
B5H Valid eject request failed (INT 13 extensions)
BBH Undefined error (hard disk)
CCH Write fault (hard disk)
E0H Status register error (hard disk)
FFH Sense failed (hard disk)
Technical Specifications and Options
138 |
Technical Specifications and Options The following options are available from Endpoint Encryption but may not be included
on your install CD, or be appropriate for your version of Endpoint Encryption. Please
contact your Endpoint Encryption representative for information if you wish to use one
of these optional components.
Encryption Algorithms Endpoint Encryption supports many custom algorithms. Only one algorithm can be
used in a Endpoint Encryption Enterprise.
Algorithm performance is based on the “PassMark” rating which gives an overall
indication of system performance. All tests were performed on a K6-II-300 machine
running NT4.0. This test platform has a PassMark of 20.7. The closer to this figure an
algorithm gets, the less the impact of Endpoint Encryption on the user. Faster
machines will achieve correspondingly faster passmark ratings, but the percentage
difference between them will be comparable.
RC5-12 (FASTEST)
CBC Mode, 1024 bit key, 12 rounds, 64 bit blocks. PassMark 20.7 (100%)
RC5-18
CBC Mode, 1024 bit key, 18 rounds, 64 bit blocks, PassMark 20.7 (100%)
The 18 round RC5 variant is designed to prevent the theoretical “Known Plaintext”
attack.
AES-FIPS (FIPS 140-2 Approved) - RECOMMENDED
CBC Mode, 256 bit key, 128 bit blocks, PassMark 19.3 (93%)
This algorithm is approved for FIPS 140-2 use.
Smart Card Readers The following smart card readers are supported.
PCMCIA Smart Card Readers
• SCR243 / SCR201 and compatibles such as HP DC350B, ActivIdentity and
others)
• PCMCIA smart card reader.
See 1http://www.scmmicro.com/security/SCR243.html for more information.
Technical Specifications and Options
| 139
• SCR201 and compatibles such as PCSR and Cisco PCMCIA readers
Generic USB CCID Smart Card Reader and compatibles
This module provides support for the following devices:
• Universal CCID USB smart card reader support (supports all industry standard
CCID readers)
• Dell D620 Integrated Smart Card Reader
• Gemplus GemPC430 USB Smart Card Reader
• Omnikey 3121 USB Smart Card Reader
• ACR38 USB Smart Card Reader
USB Smart Card Reader non CCID
Mako DT3500 Desktop smart card reader with USB Interface.
PCI Smart Card Readers
• HP 6400 Integrated Smart Card Reader
• Dell D610/810 Integrated Smart Card Reader
Tokens Please see the Using Tokens with Endpoint Encryption for PC chapter for further
information.
For the latest list of authentication methods using smart cards, tokens, fingerprint
readers please consult your McAfee representative.
Language Support
Client Pre‐Boot Languages (auto detect)
Arabic
Czech
Chinese (Simplified)
Chinese (Traditional)
Dutch
Italian
Japanese
Korean
Polish
Portuguese
Technical Specifications and Options
140 |
English (United Kingdom)
English (United States)
Estonian
German
Hungarian
Russian
Slovak Republic
Swedish
Spanish
Turkish
Pre‐Boot Keyboards (auto detect)
Arabic 101
Arabic 102
Arabic AZERTY
Belgian Comma
Belgian Period
Canadian Multilingual
Canadian French
Canadian French Legacy
Chinese Bopomofo
Chinese ChaiJei
Croatian
Czech (Czech Republic)
Czech (QWERTY)
Czech (Programmers)
Danish
Dutch
English (United States)
English (United Kingdom)
Greek 319
Greek 220 Latin
Greek 319 Latin
Hebrew
Hungarian
Italian
Icelandic
Irish
Japanese
Kazakh
Korean
Latin American
Norwegian
Norwegian with Sami
Polish 214
Polish Programmers
Portuguese Brazil
Portuguese Portugal
Technical Specifications and Options
| 141
Pre‐Boot Keyboards (auto detect)
English (US International)
English (UK Extended)
Estonian
French (Belgium)
French (France)
French (Canada)
French (Swiss)
Finnish
Gaelic
German (Standard)
German (IBM)
Greek
Greek Latin
Greek 220
Romanian
Russian
Russian Typewriter
Slovak
Slovak QWERTY
Slovenian
Spanish (Spain)
Spanish (International)
Spanish Variant
Swedish
Swiss German
Thai Kedmanee
Turkish F
Turkish Q
US Dvorak
Most of the keyboard layouts also support On-Screen representations.
Please note – other languages are available on request. We are continuously updating
our language translations and encourage feedback from our users.
Windows Languages (auto detect)
English (United Kingdom)
English (United States)
System Requirements Implementation documentation discussing appropriate hardware for typical
installations of Endpoint Encryption is available from your representative.
Technical Specifications and Options
142 |
Client
• Windows 2000, XP, 2003 Server, Vista 32bit (all versions), Vista 64bit (all
versions)
• 128MB RAM, or OS Minimum specification
• 5-35MB Free hard disk space depending on localization and number of desired
users)
• Pentium compatible processor, multi-processor (up to 32 way), dual-core and
hyper threading processors, Pentium-compatible processors such as AMD
processors.
• For remote administration, a TCP/IP network connection is required.
Appendix
| 143
Appendix Legal Notices: McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054, 888.847.8766,
www.mcafee.com
McAfee, SafeBoot and/or other noted McAfee related products contained herein are
registered trademarks or trademarks of McAfee, Inc., and/or its affiliates in the US
and/or other countries. McAfee Red in connection with security is distinctive of McAfee
brand products. Any other non-McAfee related products, registered and/or
unregistered trademarks contained herein is only by reference and are the sole
property of their respective owners. © 2007 McAfee, Inc. All rights reserved.
Your rights to install, run, copy, reproduce, distribute or make any other use of the
accompanying software is subject to your license agreement with McAfee, Inc. If you
have any questions, please review your software license or contact your McAfee
representative.
McAfee SafeBoot products make use of the following third party open source
technologies:
• ZLIB, a general compression library
• OpenSSL/OpenSSLeay - a general SSL/PKI communications library
• OpenLDAP - a general LDAP library
Open Source Components License Details
Communications Layer - ZLIB
==================
License
/* zlib.h -- interface of the 'zlib' general purpose compression library
version 1.2.2, October 3rd, 2004
Copyright (C) 1995-2004 Jean-loup Gailly and Mark Adler
This software is provided 'as-is', without any express or implied
warranty. In no event will the authors be held liable for any damages
arising from the use of this software.
Permission is granted to anyone to use this software for any purpose,
including commercial applications, and to alter it and redistribute it
freely, subject to the following restrictions:
1. The origin of this software must not be misrepresented; you must not
Appendix
144 |
claim that you wrote the original software. If you use this software
in a product, an acknowledgment in the product documentation would be
appreciated but is not required.
2. Altered source versions must be plainly marked as such, and must not be
misrepresented as being the original software.
3. This notice may not be removed or altered from any source distribution.
Jean-loup Gailly [email protected]
Mark Adler [email protected]
*/
Communications Layer and LDAP Connector - OpenSSL/OpenSSLEAY
=========================================
LICENSE ISSUES
==============
The OpenSSL toolkit stays under a dual license, i.e. both the conditions of
the OpenSSL License and the original SSLeay license apply to the toolkit.
See below for the actual license texts. Actually both licenses are BSD-style
Open Source licenses. In case of any license issues related to OpenSSL
please contact [email protected].
OpenSSL License
---------------
/* ====================================================================
* Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
Appendix
| 145
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* ([email protected]). This product includes software written by Tim
* Hudson ([email protected]).
*
*/
Original SSLeay License
-----------------------
/* Copyright (C) 1995-1998 Eric Young ([email protected])
* All rights reserved.
*
* This package is an SSL implementation written
* by Eric Young ([email protected]).
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson ([email protected]).
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
Appendix
146 |
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young ([email protected])"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson ([email protected])"
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
Copyright 1992, 1993, 1994 Henry Spencer. All rights reserved.
This software is not subject to any license of the American Telephone
and Telegraph Company or of the Regents of the University of California.
Appendix
| 147
Permission is granted to anyone to use this software for any purpose on
any computer system, and to alter it and redistribute it, subject
to the following restrictions:
1. The author is not responsible for the consequences of use of this
software, no matter how awful, even if they arise from flaws in it.
2. The origin of this software must not be misrepresented, either by
explicit claim or by omission. Since few users ever read sources,
credits must appear in the documentation.
3. Altered versions must be plainly marked as such, and must not be
misrepresented as being the original software. Since few users
ever read sources, credits must appear in the documentation.
4. This notice may not be removed or altered.
Copyright 1992, 1993, 1994 Henry Spencer. All rights reserved.
This software is not subject to any license of the American Telephone
and Telegraph Company or of the Regents of the University of California.
Permission is granted to anyone to use this software for any purpose on
any computer system, and to alter it and redistribute it, subject
to the following restrictions:
1. The author is not responsible for the consequences of use of this
software, no matter how awful, even if they arise from flaws in it.
2. The origin of this software must not be misrepresented, either by
explicit claim or by omission. Since few users ever read sources,
credits must appear in the documentation.
3. Altered versions must be plainly marked as such, and must not be
misrepresented as being the original software. Since few users
ever read sources, credits must appear in the documentation.
4. This notice may not be removed or altered.
LDAP Connctor - OpenLDAP
=================
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
/*-
* Copyright (c) 1994
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
Appendix
148 |
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* @(#)COPYRIGHT 8.1 (Berkeley) 3/16/94
*/
LDAP Connector
==========
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
/*-
* Copyright (c) 1994
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
Appendix
| 149
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* @(#)COPYRIGHT 8.1 (Berkeley) 3/16/94
*/
LDAP Connector - The OpenLDAP Public License
=============================
Version 2.0.1, 21 December 1999
Copyright 1999, The OpenLDAP Foundation, Redwood City, California, USA.
All Rights Reserved.
Redistribution and use of this software and associated documentation
("Software"), with or without modification, are permitted provided
that the following conditions are met:
1. Redistributions of source code must retain copyright
statements and notices. Redistributions must also contain a
copy of this document.
2. Redistributions in binary form must reproduce the
above copyright notice, this list of conditions and the
following disclaimer in the documentation and/or other
materials provided with the distribution.
3. The name "OpenLDAP" must not be used to endorse or promote
products derived from this Software without prior written
permission of the OpenLDAP Foundation. For written permission,
please contact [email protected].
4. Products derived from this Software may not be called "OpenLDAP"
nor may "OpenLDAP" appear in their names without prior written
permission of the OpenLDAP Foundation. OpenLDAP is a trademark
of the OpenLDAP Foundation.
Appendix
150 |
5. Due credit should be given to the OpenLDAP Project
(http://www.openldap.org/).
THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND CONTRIBUTORS
``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT
NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
THE OPENLDAP FOUNDATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.
Making Endpoint Encryption for PC FIPS Compliant The following procedures must be followed to operate McAfee Endpoint Encryption for
PCs cryptographic module in a FIPS Approved mode
1. The module software must be operating in “FIPS” mode. This is done by
setting the FIPS registry key value from 0 (disabled) to 1 (enabled). The first
step is to create a FIPS registry script (see Appendix A for details). Once the
file is created right-click on the newly created .reg file and select Merge from
the drop down menu.
2. To verify that the registry has been updated properly the user must install a
registry editor and navigate to
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RsvLoc
k\Verifier and verify the value of FipsMode equals 1. .
3. All application databases and external media on the device where McAfee
Endpoint Encryption for PCs has been installed MUST be fully encrypted. This is
performed by setting the module’s internal memory encryption parameter to
Encrypt Entire Device.
4. The PC used to run McAfee Endpoint Encryption for PCs Client must be built
using production grade components and configured in a single operator
mode. To do this, the following operating system services must be
disabled:
• Fast user switching
• Terminal services
• Remote registry service
Appendix
| 151
• Secondary logon service
• Telnet service
• Remote desktop and Remote assistance services
Creating the FIPS enable script
The following needs to be saved to a text file with the extension “.reg” and then
merged into the registry as a requirement for installing the module in a FIPS-
compliant mode of operation:
REGEDIT4
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RsvLock\Ver
ifier]
"FipsMode"=dword:00000001
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RsvLock\Ver
ifier\1]
"Path"="c:\\windows\\system32\\drivers\\SafeBoot.sys"
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RsvLock\Ver
ifier\2]
"Path"="c:\\windows\\system32\\drivers\\SbAlg.sys"
Index
152 |
Index
A
Active Directory, 10 ActivIdentity, 20, 141 algorithm, 5, 8, 12, 83, 99, 100, 140 Attributes
explained, 6 Auditing, 66 authentication, 5, 7, 9 Authentication
with a smart card, 5 AutoBoot User, 33, 34 Auto‐boot users
autoboot user, 14, 37
B
BIOS Error codes, 138
boot once, 73 boot process, 60 boot protection status, 31
C
cache, 66 CE Server, 8 challenge / response, 71 Client
creating an install set, 51 installing, 56 overview of, 8 synchronising, 60 using, 59
Connector Manager overview of, 10
cryptography, 2 Cryptography
decryption, 60 encryption, 5, 9, 35, 100
D
Data Recovery, 5
decrypt, 31 Default Password, 13, 14, 37, 74 deploy, 10, 11, 44, 45, 52, 61 disable, 40, 57, 58 disabling users. See Users DNS, 29, 95 DSA, 7
E
enabling users. See Users encryption, 35 Encryption
algorithms, 140 windows swap file, 5
Encryption Algorithm, 5, 8, 12, 99, 100, 140 Encryption Algorithms
RC5, 140 Endpoint Encryption. See Client Endpoint Encryption CE Server, 8 Endpoint Encryption Components
Endpoint Encryption File Encryptor, 4 VDisk, 4
Endpoint Encryption File Encryptor, 4 Endpoint Encryption Server
overview of, 7 Entities
explained, 6 error codes, 93, 118, 138 error messages, 118
F
File Encryption overview of, 9
file group management, 44 Files
deleting and exporting, 45 importing new, 45 ini files, 85 program and driver files, 99 properties, 46
FIPS Approved, 152 force sync, 15, 50, 77
Index
| 153
Force Sync, 29, 40, 50, See Machines
G
groups, 13, 28, 30, 31, 37, 41, 44, 49, 51, 68, 80
I
Importing Machines Importing a transfer database. See Offline Installs
IP Address, 6, 7, 8, 29, 144
L
LDAP, 8, 10
M
Machines adding users to, 37 configuring, 31 creating, 28 Forcing Syncronization, 29 rebooting, 30 recovering, 71 synchronisation of, 39
Microsoft, 5, 55, 61, 99
N
NT Domain, 10
O
object directory, 6, 7, 8, 9, 10, 11, 12, 15, 28, 33, 35, 39, 40, 46, 49, 52, 54, 59, 60, 63, 65, 66, 73, 95
Objects explained, 6
Offline Installs, 52
P
Password Default, 13, 14, 37, 74
passwords, 5, 7, 9, 32, 61, 63 Reset, 73
Pentium, 144 performance, 8, 140 Placeholder, 28, 52, 53 Pocket Windows
2002, 8 privileges, 7
Q
quickstart guide, 3
R
RC5, 140 Reboot Machine. See Machines recovery, 5, 8, 9, 36, 38, 71, 72, 73, 74, 99 Recovery
offline, 71 online, 77
registry, 11, 47, 49, 99, 101 Registry File, 49 relogon, 65 removing Endpoint Encryption, 56 reset password, 73 RSA, 8, 9
S
SafeTech, 99 SBAdmCL, 66 screen saver, 61 service, 39 smart card. See Authentication smartport, 141 Smarty, 140 synchronising machines, 39
T
TCP/IP, 6, 7, 8, 144 Tokens
changing during recovery, 74 transport database, 53 troubleshooting, 117
U
US legislation 508, 61 user status, 6 Users
device access, 15 enabling and disabling, 14 recovering, 71
V
virus protection, 33
Index
154 |
W
warning text, 38 Windows 2000, 47 Windows CE, 8 windows logon, 32, 61, 63
Windows Logon how it works, 64
X
X500, 8, 10